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Chapter 1 

Introduction 


Synchronizing clocks in the presence of faults is a classic problem in dis- 
tributed computing. Even the most accurate clocks do drift at significant 
rates, both with respect to a time standard and relative to each other. In 
order for independent processors to exhibit cooperative behavior, it is often 
required that their local clocks be synchronized. Such synchrony is the ba- 
sis for distributed algorithms that use timeouts, time stamps, and rounds 
of message passing. Synchronization is also assumed when the same com- 
putation is executed on multiple, independent processors in order to mask 
processor failures. Digital avionics systems constitute a typical example of 
the need for synchronized clocks. In these systems, the results of multiple re- 
dundant processors are voted to ensure a high degree of fault tolerance, and 
the processor clocks must be synchronized in order to carry this out. Clock 
synchronization problems led to the scrubbing of the first scheduled launch 
of the NASA Space Shuttle [4], and to anomalous behavior of the Voyager 
spacecraft [5]. Butler [6] presents a survey of various clock synchronization 
protocols. 

Synchronizing clocks in the presence of faults is a difficult problem. If 
synchrony is maintained by periodically broadcasting a global clock value to 
each of the processors, the failure of the global clock then becomes critical. 
On the other hand, if each processor has its own local clock and these clocks 
are initially synchronized, they might slowly drift apart so that with time 
the system loses its ability to behave synchronously. It is therefore neces- 
sary to periodically resynchronize the clocks. We are concerned here with 
algorithms that perform this resynchronization in a fault tolerant manner. 
In the cases we consider, the clocks are required to be synchronized only 


with respect to each other and not with respect to some external standard 
clock. The primary requirement that any solution must satisfy is that at 
any instant, the absolute difference, or the skew, between two clock readings 
should be within some bound 6. The secondary requirement is that there 
must be a small bound on the correction required to keep clocks in syn- 
chrony. The latter requirement prevents trivial solutions that, for example, 
reset the clocks to zero at each round of synchronization. We restrict our 
focus to the primary requirement, since the secondary requirement turns 
out to be a straightforward consequence of one of the assumptions for the 
operation of the protocol studied here. 

To implement synchronized clocks, each processor has a physical clock 
whose drift rate with respect to a fixed standard time is bounded. We refer 
to the fixed standard time as real time. In addition to the physical clock, 
each processor maintains a logical , or virtual, clock that is computed by 
periodically applying an adjustment to the reading of the physical clock. 
The adjustment to be applied at the end of each period is determined by 
means of a synchronization protocol. The application of such an adjustment 
could be continuous so that the individual clock ticks are either sped up or 
slowed down, but no clock ticks are dropped or repeated. Alternately, the 
adjustment could be applied in an instantaneous manner, in which case, 
some clock ticks might be dropped or repeated. In the latter situation, 
critical events should not be scheduled during these clock ticks. This report 
only considers the case of instantaneous clock adjustments. These results are 
therefore applicable to the class of systems that have a synchronization phase 
followed by a period of normal operation in each cycle of synchronization. 
The results here can be extended to the case of continuous clock adjustments. 
Schneider [1] presents an analysis of continuous adjustments. 

To take a somewhat coarse look at clock synchronization, suppose that 
the various physical clocks start synchronized and drift apart from real time 
at a rate not exceeding p. For example, a clock might gain or lose up to a 
minute every hour. The processors operate normally for a period R of, say, 
an hour. The processors then engage in a round of synchronization during 
which they exchange clock values. Assume for simplicity that the communi- 
cation between clocks occurs instantaneously. At some mutually agreeable 
instant, the processors reset their clocks to some mutually agreeable value 
such as the average of their clock readings. Thus at the end of such a round 
of synchronization, the skew between clocks vanishes. Clearly, if we want 
the clocks to be no more than 6 apart, the period R between synchroniza- 
tions should not exceed <5/2 p. Given that p is a minute per hour, and R is 
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an hour, 8 can be no less than two minutes. 

The above outline obviously makes a great many simplifying assump- 
tions, but it does capture the basic process of clock synchronization. The 
most significant invalid assumption is that clocks and processors do not fail. 
Clock synchronization protocols ought to be able to tolerate a certain num- 
ber of processor failures since they are often used to synchronize multiple 
processors in fault- tolerant architectures. When processors do fail, they 
could do so in the worst possible way by exhibiting arbitrarily different be- 
haviors towards different processors, e.g., by “maliciously” communicating 
different clock values to different processors. Such failures are known as 
Byzantine failures [7]. Consider the case of three clocks u, 6, and c, when a 
reads 12 noon, b reads 11:59 am, and c has failed. To resynchronize, they 
exchange clock values and c maliciously communicates its value as 12:01 pm 
to a and as 11:58 am to b . Suppose each clock is resynchronized by taking 
the average of all the clock values observed by it, then a resets itself to 
12 noon and b resets itself to 11:59 am. The clocks are thus no closer follow- 
ing resynchronization than immediately prior to resynchronization. Thus 
the clocks can continue to drift even further apart until the next round of 
synchronization. 

The above scenario illustrates one of the earliest clock synchronization 
protocols capable of tolerating Byzantine processor failures: the Interac- 
tive Convergence Algorithm (ICA) of Lamport and Melliar-Smith [3]. ICA 
tolerates up to [_( N - 1)/3J failures for N processors. In ICA, a proces- 
sor p resynchronizes for the i’th time when its clock reads iR. Processor 
p then reads the difference between the other clock readings and its own 
clock reading. By ignoring clock differences larger than a certain value A, 
processor p computes the egocentric mean of the acceptable clock differ- 
ences as the correction required to resynchronize its clock. Rushby and von 
Henke [8] have subjected Lamport and Melliar- Smith’s proof of correctness 
to mechanical scrutiny using Eh DM. As is often the case with fault- tolerant 
distributed protocols, the original proof is both subtle and complex. The 
mechanical verification was able to identify and correct several minor flaws, 
and to significantly streamline the proof. 

Schneider [1] presents a clock synchronization scheme that generalizes 
protocols such as ICA. Schneider’s clock synchronization scheme (abbrevi- 
ated here as SCS) regards each logical clock as being periodically reset to a 
value computed by a convergence function. The egocentric mean of ICA is 
an instance of such a convergence function. Schneider places certain natu- 
ral conditions on the behavior of suitable convergence functions and shows 
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that these conditions are sufficient for bounding the skew between the re- 
sulting logical clocks. He also shows that the convergence functions used by 
a number of existing protocols satisfy these restrictions. Such a schematic 
presentation of Byzantine clock synchronization provides an elegant frame- 
work for understanding various individual protocols, and greatly simplifies 
the proofs of their correctness. 

Since the SCS protocol captures the mathematics behind Byzantine clock 
synchronization in an abstract and schematic manner, it makes an interest- 
ing candidate for verification. The schematic nature of the SCS protocol 
makes it convenient to subsequently verify a number of specific protocols as 
instances of the SCS protocol. Also, Schneider’s analysis employs a global 
“real time” rather than clock time as its frame of reference, i.e., clocks map 
real time to clock time. Lamport and Melliar-Smith’s analysis [3] of ICA 
and the verification by Rushby and von Henke [8] were both carried out 
in terms of clocks that mapped clock time to real time. The use of clock 
time as a frame of reference makes some of the mathematics is fairly cum- 
bersome and also makes the specification harder to understand. It seems 
reasonable to assume that to each real time instant, there is a unique clock 
reading, but not quite as reasonable to insist that there is a unique real time 
instant corresponding to a clock reading since a failed clock could exhibit 
the same reading at different real time instants. It is, of course, possible to 
explain away such objections. The question of what is the best framework 
for specifying such protocols is, to our knowledge, still open. 

The mechanical verification of the SCS protocol was carried out using the 
Eh dm verification system developed at the Computer Science Laboratory of 
SRI International. The egocentric mean function of the ICA protocol was 
also verified as satisfying Schneider’s restrictions. The SCS protocol and its 
informal proof are presented in Chapter 2. An overview of the mechani- 
cally checked proof is presented in Chapter 3. The appendices contain the 
complete listing of the proof that was presented as input to Eh DM. 

The use of Ehdm to check the proof led to the clarification of a number 
of details from Schneider’s original presentation without tampering unduly 
with the outline and intent of his argument. Schneider’s proof employs 
a monotonicity condition on convergence functions that was found to be 
inessential for the proof. The monotonicity condition actually fails for ICA 
and other similar convergence functions (see Section 2.4). Schneider s proof 
requires certain relations to hold between the convergence behavior of the 
convergence function, the drift rate of the physical clocks, the error in com- 
municating clock values, and the time between synchronization rounds. The 
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machine proof clears up some minor inaccuracies in Schneider’s derivation 
of these relations. 

Acknowledgements. John Rushby supplied much of the background 
and guidance for this work. Friedrich von Henke helped me get started 
with Eh dm. I am also grateful to Fred Schneider and Rick Butler for their 
encouragement. 
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Chapter 2 

Schneider’s Schema for 
Clock Synchronization 


Schneider shows that a number of known algorithms for synchronizing 
Byzantine clocks can be presented in a uniform manner so that their individ- 
ual proofs are greatly simplified [1]. The exposition below follows Schneider s 
outline quite closely, but revises a number of the details in the description of 
the protocol as well as the proof. Section 2.1 describes how the logical clock 
is computed from the physical clock using the convergence function. Sec- 
tion 2.2 describes the conditions on the behavior of clocks and on suitable 
convergence functions. The proof of correctness of clock synchronization 
from the conditions of Section 2.2 is outlined in Section 2.3. 


2.1 Defining Clocks 

The physical and logical clocks are presented as functions from real time 
(as given by some external standard) to clock readings. This real time thus 
forms the frame of reference and is often referred to simply as “time. 1 The 
variable t ranges over this real time. Synchronization takes place in rounds. 
The time at which processor p adjusts its clock following the z’th round of 
synchronization is represented by tj,. The starting time t° p which is the time 
from which the system is observed, is taken to be zero. 

In our abstraction, both the real time and the clock readings can be 
interpreted as ranging over the real numbers or the rationals. The ordered 

Hn the original presentation of the interactive convergence algorithm, clocks are rep- 
resented as functions from clock time to the external standard time [3, 8]. 
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field axioms that are used are satisfied by both the real numbers and the 
rationals. The term PC p (t ) is the reading of p’s physical clock at real time 
t. The adjusted virtual clock reading at time t' p is computed by applying an 
adjustment adj' p to the physical clock reading PC p (t' p ). In its f’th interval 
of operation, i.e., when t' p < t < <J+ 1 , the virtual clock reading, VC p {t) is 
given by PC p (t) + adj p . At round 0, the adjustment adj p is taken to be 0 
so that for t < the reading VC p (t) is just PC p {t). In other words, in 
the first period of operation, each clock takes its physical clock reading as 
its virtual clock reading. This means that for synchronization over the first 
period, we need as a condition, a bound on the initial skews between the 
physical clocks of nonfaulty processors. 

For i > 0, we let 0), be an array of clock readings so that ©p(<?) is 
p's reading of q's clock at time t' p . In the Eh DM formalization, the array of 
observed clock readings 0 p , is actually represented as a function from clocks 
to readings. The corrected value of VC p (t ' p ) is computed by a convergence 
function , c/n(p, O p ). The adjustment adj' p to be applied to the physical 
clock is therefore given by the difference c/r^p,©*) - PC p (t'). Since 0* is 
a function, cfn is a higher-order function. 

The above explanation of 0p(<?) does not specify whether q's physical or 
virtual clock is the one that is read by clock p. Note that if t' q preceded t ' , 
then q s virtual clock has already been adjusted for the i’th time at time 
t p . In Schneider’s model, 0p(g) is a reading of q's virtual clock at time t' p 
but ignoring the i’th correction that may have already been applied to q's 
clock. This value is represented by an abstraction called the interval clock. 
The interval clock reading IC q (t) is given by PC q (t) + adj' q . Thus for i > 0, 
the value ©),(?) is p’s reading of IC'~ l (t l p ). The rationale for introducing 
an interval clock is that the observed clock readings in the protocol are 
based on readings exchanged prior to synchronization. The interval clock 
is an abstraction that is useful for describing the protocol and it need not 
actually be implemented. The physical and virtual clocks are of course both 
implemented. 

The above description leads to following definitions where i ranges over 
the natural numbers and t > 0. 


adj' p +1 = cfn{ P M p +l ) - PC^tf') ( 2 . 1 . 1 ) 

adj° = 0 (2.1.2) 

IC ' P ( t ) = PC p {t) + adj' p (2.1.3) 

VC p (t) = /C*(0, for V p < t < (2.1.4) 
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It is easy to derive the following from Definitions (2.1.1), (2.1.3), 
and (2.1.4). 

VC v {t'p l ) = /C‘ +1 (tp +1 ) = cMp,0p +1 ) (2.1.5) 

JCp +1 (t) = cfn{p,&+ l ) + PC v {i) - PC p (t + ) (2.1.6) 

So far we have merely defined the virtual and interval clock functions in 
terms of the physical clock function PC p (t ), the synchronization times t‘ p , 
and the convergence function cfn applied to the clock readings 0’ p . In the 
next section, we enumerate Schneider’s constraints on these quantities when 
p is a nonfaulty, or correct, processor. The main result we obtain from these 
constraints and the above definitions is a bound 6 on the skew between the 
logical clocks of two correct processors p and q. 


Theorem 2.1.1 (bounded skew) For any two clocks p and q that are 


nonfaulty at time t } 


| VCp(t) - vc q (t ) I < 6 


(2.1.7) 


The proof of Theorem 2.1.1 is outlined in Section 2.3.1. 


2.2 Clock conditions 

In formalizing the laws constraining the behavior of individual clocks, we 
must ensure that no assumptions are made regarding the faulty clocks since 
we are dealing with Byzantine failures. These laws which are conditions 
on the behavior of clocks are enumerated as axioms within the boxes below. 
Individual protocols and clock implementations are expected to satisfy these 
conditions. 

The conditions constraining the behaviour of clocks employ a number ot 
constants represented by lowercase Greek letters. All of these constants are 
taken to be non-negative. 

Section 2.1 above described how the processors go through rounds of 
synchronization. The proof of Theorem 2.1.7 is by induction on the number 
of rounds. The main idea of the proof is to show that the virtual clocks 
are within 6 S immediately following a round of synchronization, and the 
skew between them does not exceed 6 in the following period until the next 
round of synchronization. To start, the following condition asserts that the 
nonfaulty clocks are synchronized to within the quantity 6s at time 0. 
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Condition 1 (initial skew) For nonfaulty processors p and q 


\PC p (0)-PC q (0)\<6 s 


( 2 . 2 . 8 ) 


The nonfaulty physical clocks must keep good enough time so that they 
do not drift away from real time by a rate greater than p. 


Condition 2 (bounded drift) There is a nonnegative constant p such 
that if clock p is nonfaulty at time s, s > t } then 

(1 - p)(s -t)< PC p (s) - PCp(t) < (1 + p)(s - f) (2.2.9) 


A useful corollary to hounded drift is that two physical clocks p and q that 
are not faulty at time s, 2 for s > t, can drift further apart over the interval 
s — t by 2 p(s — t ), since both p and q can drift by p(s — f) with respect to 
real time, but in opposite directions. 

I PC p (s) - PC q (s ) | < | PC p (t) - PC g (t ) | + 2 p(s - t) (2.2.10) 

Each protocol has some mechanism for triggering the resynchronization 
of the clocks. Schneider postulates the existence of a global synchronization 
signal, Vq, which occurs at a period bounded from above and below. One 
can usually interpret t x G as the real-time instant when the first nonfaulty 
processor decides to resynchronize for the i’th time. Schneider’s conditions 
on t x G are stated in terms of positive constants which we name /o, hi, and 
wid. His first condition is that the period t l G l — is bounded from below 
by /o, and from above by hi. The second condition bounds the delay in 
receiving the trigger so that t' p - t' G < wid , for nonfaulty p. 

Our description of the proof uses a slightly different set of parameters 
in order to dispense with the notion of a global synchronization signal used 
in Schneider’s formulation. The parameters below seem easier to identify 

2 In the description of the machine verification, great pains are taken to indicate the 
times at which the clocks are required to be nonfaulty. The rest of the informal outline 
of the proof makes the simplifying assumption that clocks are either faulty or nonfaulty, 
and disregards the time at which clocks are asserted as being nonfaulty. 
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for the various instances of Schneider’s protocol. The different choice of 
parameters do not affect the proof of correctness in any significant way. For 
individual synchronization protocols, it should be possible to derive one set 
of parameters from the other. 


Condition 3 (bounded interval) For nonfaulty clock p 

0 < r min < t; +1 - t), < r max (2.2.11) 

Condition 4 (bounded delay) For nonfaulty clocks p and q 3 

|<‘ - £| < P ( 2 . 2 . 12 ) 

Condition 5 (initial synchronization) For nonfaulty clock p 

t° p = 0 (2.2.13) 


From the conditions of bounded interval and bounded delay above, it 
follows that if P < r mtn , then t' p < t' q +1 for nonfaulty clocks p and q; i.e., there 
is no overlap between the i’th and the (t + l)*th rounds of synchronization. 
Since we do want the synchronization rounds not to overlap, we state the 
following as a condition. If the periods were allowed to overlap, then the 
protocol would be difficult to implement since p could have started its (i + 
l)’th clock before another processor q had started its i’th clock. 


Condition 6 (nonoverlap) 


P ^ Tmin 

(2.2.14) 


Another corollary of the bounded interval and bounded delay conditions 
is that for any two nonfaulty clocks p and q, we can derive, 

0 < <j, +1 - 4 < r max + P. (2.2.15) 

For nonfaulty clocks p and q, 0p +1 (?) represents p’s observation of q's 
i’th clock reading at time t* +1 , i.e., it is p’s estimate of IC' q (t' p +1 ). The error 
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in this reading is assumed to be bounded by A. 


Condition 7 (reading error) For nonfaulty clocks p and q, 




(2.2.16) 


The above conditions turn out to be sufficient to bound the skew in 
the period between successive rounds of synchronization in terms of the 
skew bound 6 s immediately following synchronization. The conditions below 
of bounded faults , translation invariance , and precision enhancement , are 
needed to derive the skew bound 6s- The condition of accuracy preservation 
below is needed to bound the skew between virtual clocks when, for instance, 
q has synchronized for the i’th time but p has not. 

The parameter N is the total number of processors, and F is the max- 
imum number of faulty clocks that the algorithm is expected to tolerate. 
This property of the system is captured by the following condition. 


Condition 8 (bounded faults) At any time t, the number processors 
faulty at time t is at most F. 


The conditions below are mathematical constraints placed on the con- 
vergence function, e.g., clocks, drifts, and failures, do not play any role in 
the statements. The isolation of the constraints makes it possible to demon- 
strate that the egocentric mean function of ICA satisfies the conditions of 
translation invariance , precision enhancement , and accuracy preservation , 
in purely mathematical terms. Note that these conditions do not make any 
distinction between the faulty and the nonfaulty clocks but are instead given 
in terms of a subset C of clocks satisfying certain mathematical constraints. 

Suppose that t p > t l q for nonfaulty p and q, then in order to compute 
6s, we are interested in comparing the clock times for p and q at t' the 
time when clocks p and q have both just been synchronized for the i’th 
time. Processor q starts its Pth interval clock at V q with value cfn(q , 0 ? ), 
so that its reading at t' p is cfn(q,Q q ) + x, where x = PC q (t' p ) - PC q (t' q ). 
The condition of translation invariance indicates that adding x to the value 
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of the convergence function should be the same as adding x to each clock 
reading instead. Recall that the array of clock readings is represented by a 
function from clocks to readings so that cfn is a higher-order function. 


Condition 9 (translation invariance) For any function 9 mapping 
clocks to clock values, 

cfn(p, (An: 6(n) + x)) = cfn(p,9) + x (2.2.17) 


As a consequence of translation invariance, we know that at t ' p , both p 
and q have been resynchronized and VC q {t l p ) = cfn(q,(Xn: Q q (n) + x )) for 
some x, and VC^tf 1 ) = c/n(p,0 p ). We clearly need some condition to 
bound the difference between these two values of the convergence function 
to within 6s- The condition of precision enhancement allows exactly such a 
comparison between values of the convergence function based on the range 
of values of some subset of the clock readings that intuitively correspond to 
the readings of nonfaulty clocks. 

In the statement of precision enhancement , 7 and 9 are any two arrays 
(or functions) of clock readings, and C is to be intuitively interpreted as 
the subset of nonfaulty processors. This interpretation of C is permissible 
by the bounded faults condition. The reason it is not directly taken to be 
the set of nonfaulty clocks is because the protocol cannot assume that any 
individual clock can distinguish the faulty from the nonfaulty clocks. The 
convergence functions for some protocols can neglect readings of nonfaulty 
clocks while considering readings of faulty clocks. 

Precision enhancement is used to bound the skew between two clocks 
immediately after both have been resynchronized whereas accuracy preserva- 
tion is used to bound the skew between a clock that has been resynchronized 
and one that has yet to be resynchronized in the ith round. The condition 
of precision enhancement bounds the skew between two clocks as computed 
by the convergence function, based on the skews between the clock readings 
that are inputs to the convergence function. We will refer to the clocks in 
C as C-clocks. Precision enhancement then asserts that if the readings of 
different C-clocks in 7 fall within a range y as do the C-clock readings in 
9, and the corresponding readings in 7 and in 9 of any C-clock differ by no 
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more than x, then cfn(p, 7 ) and cfn(q,9) are within 7 r(x,j/) of each other. 4 
The parameter y will roughly correspond to the amount by which the clocks 
have drifted relative to each other and x roughly indicates the message de- 
lay in communicating clock values. Typically, the parameter y dominates 
x. The quantity n (x,y) provides the bound on the skew 6s immediately 
following resynchronization. For the precision to be truly enhanced, it is 
crucial for 7r(x, y) to be smaller than y . 


Condition 10 (precision enhancement) Given any subset C of the N 
clocks with |C| > N — F, and clocks p and q in C, then for any readings 7 
and 9 satisfying the conditions 

1. for any l in C, |t(/) — 9(1) | < x 

2. for any l , m in C, |^y (/) — 7 ( 771 )) < y 

3 . for any l } m in C , 1 9(1) — 0(m)| < y 


there is a bound 7r(x, y), such that 


k/n(p, 7 )- cfn(q,9)\ < tt ( x,y) 

(2.2.18) 


The final condition of accuracy preservation bounds the distance between 
the value of cfn(p , 8) and the nonfaulty entries in 8. If t % Q < V p , then accuracy 
preservation 5 can be used to bound the difference between JC^ +1 (^ +1 ) and 

4 Note that the order of arguments to it are reversed from their order in Schneider’s 
description [1]. 

Footnote 7 in Schneider [1] explains the choice of the terms precision enhancement and 
accuracy preservation. ‘Precision’ is defined as the closeness with which a measurement 
can be reproduced, whereas ‘accuracy’ is the proximity of the measurement to the actual 
value being measured. The virtual clocks represent various measurements of real time. 
The condition of precision enhancement characterizes the closeness of these measurements 
to each other. The condition of accuracy preservation can be seen as bounding the drift 
rate of the virtual clock with respect to real time. 
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Condition 11 (accuracy preservation) Given any subset C of the N 
clocks with \C\ > N — F, and clock readings 6 such that for any l and 
m in C, the bound |0(/) — 6(m ) | < x holds, there is a bound a(x ) such that 
for any q in C 

\cfn(p, 6) - 0(g)| < a(x) (2.2.19) 


In addition to the conditions enumerated above, Schneider presents a 
condition called monotonicity that is actually not satisfied by several clock 
synchronization protocols. Fortunately, this condition turns out to be un- 
necessary in the derivation. The monotonicity condition asserts that if for 
each processor /, 8(1) > 7 (/), then c/n(p,0) > c/n(p, 7 ). The failure of the 
monotonicity condition for ICA is demonstrated in Section 2.4. 


2.3 The Correctness Proof 

The proof described below closely follows Schneider’s outline. A few of 
the details are different, mainly reflecting corrections or perceived improve- 
ments. These seemingly small revisions do, however, lead to drastic changes 
in the statements of many of the theorems. The details of the correctness 
proof are both conceptually and notationally complicated. The formal ar- 
guments are extremely delicate to carry out carefully and correctly due to 
the additional consideration of processor failure. The true difficulty of con- 
structing watertight proofs may not be apparent in the descriptions below 
since they only capture the end result of a mechanical verification and not 
the tenuous intermediate steps. It would be extremely difficult for even 
the most diligent mathematician to correctly capture all the details of such 
proofs without machine assistance. One difficulty is the care that is needed 
to ensure that no assumptions are made regarding failed clocks. Schnei- 
der [ 1 ], for instance, asserts, “We make no assumptions about the behavior 
of clocks at faulty processors — not even that they can be modeled by 
functions.” The present formulation does not go as far as to avoid the use 
of functions to model the behavior of failed clocks but no constraints are 
placed on the values of these functions when a processor has failed. The use 
of functions does not seem to contradict any intuitive understanding of the 
physical behavior of failed clocks. The possibility of processor failure adds 
significantly to the complexity of the formalization as well as the proof. 
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The proof described in this section is itself a somewhat simplified ren- 
dering of the mechanically verified proof. The main difference is that in the 
mechanical proof, the faultiness of a processor is itself a time-varying prop- 
i*£., processors can fail at any time. A brief overview is given below to 
provide an outline of the detailed proof. The words processor and clock are 
used interchangeably. 

2.3.1 Overview 

To establish the main result, Theorem 2.1.1, we must show that the skew, 
or absolute difference, between the readings of any two nonfaulty clocks p 
and q at time t, given by | VC p (t) — VC q (t) |, is bounded by a quantity 8 . 
By the definition of VC in (2.1.4), this reduces to the following two cases: 

1. When both clocks have been resynchronized for the i’th time but not 

for the (i + l)’th time, i.e., if max(t' p ,t x q ) < t < then 

the skew between IC' p (t) and IC\(t) is bounded by 8 , and 

2. When only one clock, say q , has been resynchronized for the (i + 
1 ) th time, i.e., if < t < then the skew between ICUt) and 
IC x +^(t) is bounded by 8. 

For two nonfaulty clocks p and q , the time immediately following their 
i th round of synchronization is max(t x p ,t x q ). The main step in the argument 
is to show that the skew between the readings IC x p (t) and IC\(t) at time 
t — max(t pJ t q ), is bounded by a quantity 6$ . This is shown by induction 
on i, and employs the conditions of initial skew , translation invariance, and 
precision enhancement. 

We now know that the clocks IC x p and IC\ start off no more than 8 S 
apart at max(t p ,t x q ). By bounded interval and bounded drift , the skew be- 
tween IC p (t) and IC q (t) does not increase by more than 2 pr max in the 
interval max(t' p ,f q ) < t < min(t x p ,t l q ). Assuming that ** +1 < then the 
restriction of accuracy preservation on the convergence function is used to 
bound the skew between IC^t'* 1 ) and By bounded delay and 

bounded drift , the additional skew between the readings IC { (t) and IC l +\t) 
over the interval V+ 1 < t < if 1 is no more than 2 p(3. To obtain the final re- 
sult, we need to constrain the quantities p , 8 S , r mtn , r max , and 0 so that the 
skew bounds derived over the various intervals are within 8. Schneider also 
shows that the restrictions of translation invariance , precision enhancement, 
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and accuracy preservation, are satisfied by many of the known Byzantine 
fault tolerant convergence functions [1]. 

2.3.2 The Proof 

The details of the proof of bounded skew are presented below. Let V+J 
denote max(t The first major step in Schneider’s proof is to prove: 

Theorem 2.3.1 There is a bound 6s such that for synchronization round i 
and any two nonfaulty processors p and q 

| ICfalJ - ICfaq ) | < 6s. (2-3.20) 

Proof. The proof of Theorem 2.3.1 is by induction on the round number 


Base case: When i = 0, by (2.2.13) we have t° p = t° = 0. Then by 

Definitions (2.1.3) and (2.1.1), IC° p (t° p ) = PC p ( 0) and IC° q (t° p ) = PC q ( 0). 
The condition of initial skew asserts |PC p (0) - PC g (0)| < 6s- Hence, 
|/Cp(0) - /C°(0)| is also bounded by 6s- 

Induction case: The induction hypothesis asserts that for every pair of 

nonfaulty processors, l and m 

\ICi(t[ m )-ICUt\, m )\<^- (2-3.21) 

The goal is to establish for any pair of nonfaulty processors p and q, that 

l/C’+H#, 1 ) - /Cj +1 (<j+ 1 )| < 6s. (2.3.22) 

Without loss of generality, assume that t‘ +1 precedes t p +1 so that t'+ q = 
t'+ l . Then Equation (2.1.6) yields 

IC , ((•«) = c/n(,.0j + ') + PC,((«) - PC,(C»). (2.3.23) 

By Equation (2.1.5), we have 

7C; +1 (t* +1 ) = r/n(p, 0p +1 )- (2.3.24) 
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The condition of translation invariance provides an estimate of IC X +^{V +^ ) 
in terms of the convergence function cfn. With 0^ +1 for 6 in Equa- 
tion (2.2.17), we get 

cfn(q, 0* +1 ) + PC q (t * +1 ) - PC q (t \ +1 ) 

= cfn(q,(\n:Q\ + \n) + PC^tf 1 )- PC q (t\ +1 ))). (2.3.25) 

By (2.3.24) and (2.3.25), the bound on the initial skews can be rewritten as 
follows: 


|/c; +1 (t‘ +1 )-/c; +1 (t; +1 )| 

= \cfn(q,(Xn:Q' q +1 (n) + PC,(t* +1 ) - PC,(<* +1 ))) 

-cfn(p,e' p +1 ) |. (2.3.26) 

The right-hand side of (2.3.26) can be bounded by n(x,y) for some x and 
y using precision enhancement with (An: 0^ +1 (n) + PC^(^ +1 ) - PC’ g (^ +1 )) 
for 7 and 0J+ 1 for 6. The set C in precision enhancement is taken to be 
the subset of nonfaulty clocks as permitted by hounded faults. The next few 
steps demonstrate that the remaining hypotheses of precision enhancement 
can be satisfied with these substitutions. To satisfy Hypothesis 1, we need 
to find an x such that for any nonfaulty / we can derive 

l(0* +1 (/) + pc q (t«') - pc q {t\ ;+»)) - 0j»(/)i < x. 

As shown below, the value 2 p/3 + 2A can be substituted for x. By Equa- 
tion (2.2.16), we easily get 

l-fC'KC 1 ) ~ 0 ? +1 (OI < A, and (2.3.27) 

I /c 1(*p + 1 ) - 0p +1 (OI < A- (2.3.28) 

Note that t* 1 -t’ +1 <0 by (2.2.12). So from Equation (2.1.3) and bounded 
drift , we have 

I W(*i +I ) + PC q {V+') - PC 9 (<- +1 )) - IC}(t^)\ 

= \(Pc q (t' p +l ) - pc q (t' q +1 )) - (/C}( 4 +1 ) - /c;(t* +1 ))| 

= i(pc,(4 +1 )- pc,( 4 +1 )) - (pc / (t*+ i ) - pc,(ti+'))\ 

< i(i + p)(v+ i - 4 +i ) - (i - P )(t; +i - t- +i )i 

- |2p(<; +1 -<; +1 )| 

< 2 PP- (2.3.29) 
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Putting together Equations (2.3.27), (2.3.28), and (2.3.29), we get the re- 
quired inequality 

|0* +1 (O + PC q (f p +1 ) - PC q (t\ +1 ) - 0p +1 (OI < 2p/3 + 2A. (2.3.30) 

The substitution 2 p(3 + 2A for x thus satisfies Hypothesis 1 of precision 
enhancement. 

The next step is to satisfy Hypotheses 2 and 3 of precision enhancement 
for the specified substitutions. For these, we need a y such that for any 
nonfaulty processors l and m, the following inequalities hold. 

I(0’ +1 (O + pc q (4 +1 )- PC q (t* +1 ))- 
(0' ? +1 (m) + PC q (t '+') - PC q {t\+ l ))\ < y (2.3.31) 

|0j, +1 (O-©j, +1 (^)l < V (2.3.32) 

Since (2.3.31) can be simplified by cancellation, both (2.3.31) and (2.3.32) 
can derived by deriving a bound y such that for all nonfaulty clocks k, l, 
and m, we get 

l©l +1 (0-©i +1 (™)l <y ( 2 - 3 - 33 ) 

First note that 

I©1 +1 (0 - ©t +1 (^)l 

< |0* +1 (O - /c}( 4 +1 )| + |/cj(4 +1 ) - icUt \ +1 ) I + 

|0*+ 1 (m)-/Ci n (4 +1 )| (2.3.34) 

In (2.3.34), we know by Equation (2.2.16) that 

|0j, +1 (Z)-/Cj(4 +1 )| < A and (2.3.35) 

|0l +1 (m)-/C| n (4 +1 )| < A (2.3.36) 

By the induction hypothesis (2.3.21), we get 

| IC}(t[ m )-ICUtU)\<6s. (2-3.37) 

We know by (2.2.15) that, t[ +1 - t} m < r max + (3. Then by (2.1.3), (2.2.10), 
and (2.3.37), we get 

l^l(4 +1 )- /C 'j n (4 +1 )| < 6 s + 2p(r max + (3). (2.3.38) 
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Combining Equations (2.3.34), (2.3.35), (2.3.36), and (2.3.38), we get 

|©i +1 (0 - 0l +1 (m)| < 65 + 2 p(r max + /?) + 2A. (2.3.39) 

So the expression 6s + 2p(r max + /?) + 2A is the required bound y satisfying 
both Hypotheses 2 and 3 of precision enhancement. 

If we now choose 6s so that 

tt( 2A + 2 (ip, S s + 2 p{r max + 0) + 2A) < S s , (2.3.40) 

then the conclusion of precision enhancement along with Equation (2.1.6) 
ensures that 

i/^ +x (4 +l )-/c; +i (t' +i )i<^ 

to complete the proof of Theorem 2.3.1. ■ 

We have now shown that for any pair of nonfaulty processors p and <7, 
the skew between their clock readings at t l p q ^ given by \IC p {t pq ) — IC x q (ip (g )|, 
does not exceed 6s- The next step is to show that for any i, the clock skew 
between t l pq and tj* 1 , is bounded. 

Theorem 2.3*2 For any two nonfaulty clocks p, q } and t p < t < t*+ q , 

\VC p (t)-VC q (t)\<6. (2.3.41) 

Proof. Assume without loss of generality that < t 1 * 1 . The proof has 
two cases according to whether t p q < t < or t 1 * 1 < t < V + l . 

Case 1: Assuming t % < t < t'^ 1 , from bounded interval we get 

r miI . By Equation (2.1.4), it is clear that for t in this interval VC p (t) = 

ICp(t) and VC q (t) = IC' q (t). Then by (2.2.10) and (2.1.3), it follows that 

I VC p (t) - VC q (t) I < I VC p (<j, g ) - VC q {t^ q )\ + 2 pr max . (2.3.42) 

Recall that Theorem 2.3.1 yields 

I VC p (t' p<q ) - VC q (t' Ptq )\ < S s . (2.3.43) 

Combining Equations (2.3.42) and (2.3.43), we have 

| VC p (t) - VC q (t) I < 6 S + 2 pr max . (2.3.44) 

The bound 6 should therefore be chosen so that 

6 S + 2pr max < 6. (2.3.45) 
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Case 2: Assuming ^ +1 < t < /J+ 1 . In this interval, VC q (t ) = IC' q +l (t), 

whereas VC p (t) = IC l p (t). The strategy here is to bound the skew at Z*" 1 " 1 
and then compute the additional quantity by which the clocks can drift 
apart in the given interval. By Equations (2.1.5) and (2.1.4), we have 

I VC p (t' q +1 ) - VC'it? 1 ) I = |/C‘« +1 ) - cfn(q, 0* +1 )|. (2.3.46) 

We now need to use the condition of accuracy preservation with C as the 
subset of nonfaulty processors as allowed by bounded faults. To satisfy the 
hypothesis of accuracy preservation , we need a bound x such that, for any 
pair of nonfaulty clocks l and m, 

|©; +1 (0 - 0’ +1 (m) I < x. (2.3.47) 

The next few steps are similar to those required to establish Hypotheses 2 
and 3 of precision enhancement. By Equation (2.2.16), we have 

|0* +1 (/)-/Cj(4 +1 )| < A (2.3.48) 

|0‘ +1 (m)-JCU< +1 )| < A. (2.3.49) 

By Equation (2.2.15), t' q +1 - t) m < r max + /? holds. Theorem 2.3.1 
and (2.2.10) can now be applied to get 

I IC}(t\ +1 ) - ICUt ' q +l ) I < 6s + 2 p(r max + fi). (2.3.50) 

Letting x be 6s + 2 p(r max + /?) + 2A, and substituting p for q and q for 
p in accuracy preservation , we can combine Equations (2.3.48), (2.3.49), 
and (2.3.50), to get 

|c/n( 9 ,0* +1 )-0; +1 (p)| < a(6 s + 2p(r max + /3) + 2A). (2.3.51) 

Since Equation (2.2.16) yields |0^ +1 (p) - -fCp(4 +1 )l < A, it follows from 
Equations (2.3.51) and (2.3.46), that 

\VC p (t^)-VC q (t^)\ 

= |/C*(4 +1 )-c/n( 9 ,0*+ 1 )| 

< a(6 s + 2p(r max + 0) + 2A) + A. (2.3.52) 

Having bounded the skew at f‘ +1 , we can bound the skew over the in- 
terval t' q +1 < t < tj, +1 , by observing that t 1 * 1 - < /3 by (2.2.12), and 

applying Equation (2.2.10) to derive the inequality, 

I VC v {t) - EC, (01 < a(f s + 2 p(r max + fi) + 2A) + A + 2 pf3. (2.3.53) 
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Therefore 6 has to be chosen to satisfy 

ot{6s T 2/?(r max + /?) + 2A) + A + 2 p(3 < (2.3.54) 

This completes both cases of the proof of Theorem 2.3.2. ■ 

Theorem 2.3.2 forms the induction step in the proof of the following 
theorem. 

Theorem 2.3.3 For any two nonfaulty clocks p, q, and t < t l p 

| VC p (t) - VC q (t) I < 6 (2.3.55) 

Proof. The proof is by straightforward induction over i. When i = 0, 
the antecedent fails since V p q — 0. The induction hypothesis asserts that for 
t < t pq , the quantity \VC p (t ) — VC q (t)\ does not exceed 6. The induction 
conclusion requires showing that 6 bounds \VC p (t) — VC q (t)\ even when 
t < t'+ q . We observe that either t < t x pq , in which case the conclusion follows 
from the induction hypothesis, or, t % < t < t'+ q , and the conclusion easily 
follows from Theorem 2.3.2. ■ 

One small step remains in the proof of bounded skew from Theorem 2.3.3. 

Theorem 2.3.4 For any t > 0 and nonfaulty processors p and q , there is 
an i such that 

* < C 

Proof. By bounded interval, 0 < r mtn < t 3 p +1 - P p . Thus, t 3 p +1 > jr min . If 
we let i be \t/r mtn ] + 1, then t p > t. ■ 

The main result, Theorem 2.1.1, easily follows from the Theorems 2.3.3 
and 2.3.4. 

We take note of the various conditions on 6 and 6s 6 : 


1. tt(2A + 2 /3p, 6 s + 2p(r max + (3) + 2A) < 6 S , by 2.3.40. 

2. 6 S + 2 pr max < 6, by 2.3.45 

3. a(6 s + 2 p(r max + (3) + 2A) + A + 2 p/3 < 6, by 2.3.54 


This concludes the informed presentation of the proof. 

6 Note that these conditions are significantly different from those derived by Schnei- 
der [1] due to various inaccuracies that have been corrected in the mechanical proof. 
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2.4 ICA as an instance of Schneider’s scheme 


The egocentric mean function which is used as a convergence function in the 
Interactive Convergence Algorithm of Lamport and Melliar-Smith [3] can be 
shown to satisfy Schneider’s conditions of translation invariance, precision 
enhancement, and accuracy preservation. 

With the interactive convergence algorithm, the convergence function 
cfrij takes the egocentric mean of p’s estimate of the readings of the N 
clocks numbered from 0 to N - 1, i.e., any readings that are more than A 
away from p’s own reading are replaced by p’s own reading. This yields the 
definition , 


cfnj(p, 6) = 


N 


(2.4.56) 


where 


fixp(x) = 


x if |x — 0(p)| < A 
0(p) otherwise. 


Translation invariance follows from the observation that 
fix p ((Xl: 9(1) + t)(q)) = fix p (6(q)) + t 


and 


aago+i) ziin'wo) 


+ t 


(2.4.57) 

(2.4.58) 


N N 

To demonstrate precision enhancement, we start with a set of processors 
C of cardinality \C\ greater than N — F. Let / be N — \C\. The hypotheses 
for precision enhancement are that for any / and m in C , 


17(0 

— 0(/)| < X 

(2.4.59) 

17(0- 

- 7( m )l < y 

(2.4.60) 

|0(O- 

0(m)| < y. 

(2.4.61) 

,y ) so 

that for any p and q in C, we get 


p,i)~ 

cfnj(q,9)\ < 7 r(x,p). 

(2.4.62) 


This difference can be rewritten as 

IeHo 1 /«»p(t(0) 


N 


N 
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which is no greater than 


Elio 1 l/»'»p(7(0) - /«g a (g(0)l 
N 

This in turn can be rewritten as 

Eigc IJjXpiliO) - fi x q (6(l))\ | E/gc \f ix p(l(l)) ~ fix q (0(l))\ 

N + TV ' 

Assuming y < A and / 6 C, we get fix p (-y(l )) to be 7 (/) and fix q (8(l)) to 
be 0(1 ) , so that 


and hence, 


|/ix p (7(/)) — /ia; 9 (0(/))| < x 


Elec I/»'»p(7(0)- /» 'a? g W))l ^ (A - /)x 
A TV ’ 


For / £ ( 7 , the difference 


|/iz p (7(/)) - /i*,(0(/))| < 2A + |-y(p) - %)| < 2A + x + y 
and hence 

E/gc l/»a P (7(0) ~ /»a?g(fl(/ ))| ^ 2 /A -f fx + fy 
N ~ TV ' 

We thus get, when y < A, that 


-(- - (* - />* | 2/A + fx + fy 

’ TV TV 


(2.4.63) 


In the typical situation when the egocentric mean is computed, the quan- 
tity x representing the reading error is negligible, and y representing the 
clock skew is bounded by A. Since the skew following synchronization should 
be smaller than A, we can see that in Equation (2.4.63), the number of failed 
processors / should be below TV/ 3. Though the derivation of n (x,y) for the 
case when y > A is carried out in the machine proof, it is not essential since 
in practice, y will not exceed A 

To show that cfrij satisfies accuracy preservation, it is sufficient to ob- 
serve that if all the nonfaulty clocks are within x of each other, then the 
nonfaulty clocks can cause the egocentric mean to be at most (TV - f)x/N 
away from any nonfaulty clock. The faulty clocks can cause the egocentric 
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mean to be up to / X (x + A )/N away from a good clock. The total thus 
yields ^ 

a(x) = x+ —■ 

The final step is to demonstrate the failure of the monotonicity condition 
for ICA. The monotonicity condition mentioned at the end of Section 2.2 
asserts that if for each processor l, 6(1 ) > 7(f), then cfn(p,9 ) > cfn(p, 7 ). 
The key reason for the failure of the monotonicity condition is that if some 
readings in 7 were ignored because they were more than A below 7 (p) but 
were increased in 9 so that they were no longer ignored, then c/n(p, 6) could 
effectively be smaller than cfri(p, 7 ) even though for every l, 9(1) > 7 ( 0 - 
More specifically, let 9(p) = 7 (/>)• Observe now that if there is some / such 
that 9(1) + A < 9(p), but with 7 (p) > 7(0 ^ 7(p) ~ then fix p (9(l)) > 
fix p ( 7 (/)) holds. So, it is possible to have fix p (9(l)) > fix p ( 7(0)> even 

though we have 9(1) < 7 (/)• } 

For the mechanical verification of ICA as an instance of Schneider s pro- 
tocol, we have verified the constraints, i.e., translation invariance, precision 
enhancement, and accuracy preservation, hold for the egocentric mean taken 
as a convergence function. We have not yet instantiated the quantities r min , 
r max and 3, nor verified the conditions of bounded interval, bounded delay 
and nonoverlap, since these depend on specific implementation choices. It 
would also be useful to mechanically verify various other Byzantine fault tol- 
erant clock synchronization algorithms to be instances of Schneider s scheme. 
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Chapter 3 

The Verification of 
Schneider’s Protocol using 
Ehdm 


The outline in Chapter 2 was adapted from Schneider’s description but dif- 
fers from his presentation in many of the details. The mechanized formaliza- 
tion using Ehdm follows the informal description in Chapter 2 fairly closely. 
We illustrate the highlights of the machine proof below and indicate the 
correspondence to the informal description. Details regarding the language 
and capabilities of Ehdm are contained in the Ehdm tutorial document [2]. 

3.1 The Clock Assumptions 

This section contains the Ehdm formalization of the conditions axiomatiz- 
ing the behavior of clocks. These axioms are contained in a module labeled 
clockassumptions that is listed in Appendix B starting from page 51. Fig- 
ure 3.1 contains the type declarations for some of the variables and constants 
used in clockassumptions. The clockassumptions module makes use of 
the module arith, which contains the basic arithmetic facts, and countmod, 
which introduces a counting function. Nonfaultiness is expressed by the 
predicate correct. 

The first few axioms express various minor constraints on the constants 
as shown in Figure 3.2. 

The axioms constraining the physical behavior of the clock appear in 
Figure 3.3. Since we require the initial skew bound /x to not exceed 6s, 
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clockassumptions: Module 
Using arith, countmod 
Exporting all with countmod, arith 

Theory 

process: Type is nat 

event: Type is nat 

time: Type is number 

Clocktime: Type is number 

l ) m ) n,p ] q } pi,P2i<li, ( l2,P3> ( l3 : Var process 

i, j, k: Var event 

x,y,z,r, s,t: Var time 

X, y, Z, R , 5, T: Var Clocktime 

7,0: Var function [process — ► Clocktime] 

(5, /i, p, r min , r m or, 0, A. number 

PC*i(*2), VC7*i(*2): function [process , time -► Clocktime] 
tjJ: functionlprocess, event — ► time] 

function[process, event — ► function[process -+ Clocktime]] 
IC'lli'kZ): functionfprocess, event, time -+ Clocktime] 
correct: function[process, time — ► bool] 

cfn : functionfprocess, functionfprocess — ► Clocktime] Clocktime] 
tt: function[Clocktime, Clocktime — ► Clocktime] 
a: function[Clocktime — ► Clocktime] 


Figure 3.1: Declarations from module clockassumptions 
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delta.O: Axiom 6 > 0 
mu_0: Axiom p > 0 
rho-0: Axiom p > 0 
rho-1: Axiom p < 1 
rminJO: Axiom r m j n > 0 
rmax_0: Axiom r max > 0 
beta.O: Axiom 0 > 0 
Iambi): Axiom A > 0 


Figure 3.2: Constants in module clockassumptions 


axiom init essentially corresponds to initial skew. Axiom correct-closed 
asserts that a failed processor never recovers. Axioms rate_l and rate_2 
together express the bounded drift condition. The axioms rtsO and rtsl 
capture the bounded interval condition. These axioms look strange because 
the variable t, needed to properly capture the correctness condition, appears 
in them but not in bounded interval. Most of the obvious ways of stating 
these axioms are either too restrictive or wrong. The axiom rts2 captures 
bounded delay , and synctime_0 is just initial synchronization . The condition 
of nonoverlap appears as an antecedent to the concluding theorem rather 
than as an axiom. In the IATgX format below, multiplication is represented 
by * as well as ★. These are synonymous, but the latter represents the 
uninterpreted form of multiplication whereas the former is interpreted by 
the linear arithmetic decision procedures of Ehdm. 

The definitions of the virtual clock and the interval clock in terms of the 
physical clock appear in Figure 3.4. These correspond to (2.1.1), (2.1.4), 
and (2.1.3), respectively. 

The conditions on the convergence function appear in Figure 3.5. The 
axiom Readerror corresponds to the condition reading error . The axiom 
correct-count corresponds to bounded faults. The remaining correspon- 
dences should be self-evident. 

Some of the definitions and lemmas from the module clockassumptions 
have been omitted from this discussion. 
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init: Axiom correct(p, 0) 3 PC p ( 0) > 0 A PC , p (0) < p 

correct-closed: Axiom s > t A correct(p, s) 3 correct (p, /) 

rate-1: Axiom correct(p, s) A s >t D PC p (s) — PC p (t) < (s — t) ★ (1 + p) 

rate_2: Axiom correct(p, 5 ) A s > t 3 PC p (s ) — PC p (<) > (s — t) ★ (1 — p) 

rtsO: Axiom correct(p,i) At < t p +1 3 t — t l p < r max 

rtsl: Axiom correct (p,/) At > 1 D t - > *Vnin 

rts.O: Lemma correct (p, <J, +1 ) 3 <p +1 - f p < r max 

rts_l: Lemma correct (p, t p +1 ) 3 t p +1 — < p > ^min 

rts2: Axiom correct(p,f) A t > t x q + /? A correct(g,<) 3 t > < p 

rts-2: Axiom correct (p, A correct (<?, t % q ) D t p — t l q < P 

synctimeJ): Axiom t p = 0 

Figure 3.3: Physical clock axioms in module clockassumptions 


VClock.defn: Axiom 

correct(p, t) At > t p At < 3 VC p (t) = /Cp(f) 

Adj: function [process, event — ► Clock time] = 

( A p, i: ( if i > 0 then c/n(p, 0J,) - PC p (^) else 0 end if)) 

IClock.defn: Axiom correct(p,f) 3 IC p (t) = PC p (<) + Adj(p,i) 


Figure 3.4: Clock definitions in module clockassumptions 


28 




Readerror: Axiom correct (p, t' p + l ) A correct (g, ^ +1 ) 
D|0^ 1 (g)~/C*(^ 1 )|<A 

translationJnvariance: Axiom 

X > 0 D cfn(p,(\pi — ► Clocktime: 7(^1) + A r )) = cfn(p y 7) -f X 

ppred: Var function[process — ► bool] 
maxfaults: process 

okay -Read pred: function [function [process — ► Clocktime], Clocktime, 

functionfprocess — ► bool] — ► bool] = 

( A 7, Y } ppred: ( V /, m: ppred(/) A ppred(m) D |7(/) — 7(m)| < y)) 
okay .pairs: function[function[process — ► Clocktime], 

function [process — ► Clocktime], Clocktime, 
function [process — + bool] — ► bool] = 

( A 7, 0 , X, ppred: ( V p 3 : ppred(p 3 ) 3 Mps) “ #(P3)| < X)) 

N : process 

N- 0 : Axiom N > 0 

N_maxfaults: Axiom maxfaults < N 

precision_enhancement-ax: Axiom 
count(ppred, N) > N — maxfaults 
A okay -Read pred (7, y, ppred) 

A okay_Readpred( 0 , Y y ppred) 

A okay_pairs(7, 6 , AT, ppred) A ppred(p) A ppred(g) 

D \cfn(p,y) - cfn(q, 6 )\ < ir (X,Y) 

correct .count: Axiom count(( A p : correct (p, t)), N) > N — maxfaults 

accuracy_preservation_ax: Axiom 
okay_Readpred(7, A^, ppred) 

A count(ppred, N) > N — maxfaults A ppred(p) A ppred(g) 

D \cfn(p, 7) - 7(9)1 < a(X) 


Figure 3 . 5 : Conditions on Logical Clocks in module clockassumptions 
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agreement: Lemma (3 < r m j„ 

A/i < 65 A tt(2 *A + 2*fi-kp, 6s “I - 2 * ((rmax "4* /^) * P T ^)) ^ ^ s 
A6 S + 2* r max * p <6 

A a(6s + 2 * (r ma x + /?)*p + 2*A) + A + 2*/?*p< 6 
At > 0 A correct(p, t) A correct(g, t) 

D | VC p (t) - VC,,(t)\ <6 


Figure 3.6: Main Theorem in module lemmaJinal 


okaymaxsync: function[nat, Clocktime — + bool] — 

(A i,X:(Vp,q: 

correct(p, t p q ) A correct(g, t' p q ) 

d 10^)1 <x)) 

lemma.2: Lemma /? < ^ min 

A /i < A A 7t(2 *A-{-2*j3'kp,\ -b 2 * ((r m ai "b /?) “b A)) < A 
D okaymaxsync(t, A") 


Figure 3.7: Skew immediately following resynchronization from module 
readbounds 

3.2 The Proof Highlights 

The conclusion corresponding to Theorem 2.1.1 is the theorem agreement 
that appears in the module lemma_final listed at page 79 of Appendix B. 
This theorem is displayed in Figure 3.6. It should be compared to the 
statement of Theorem 2.1.1 (page 8) and to the conditions at the end of 
Section 2.3.2 (page 21). The axioms, definitions, and lemmas used, whether 
in a direct or indirect manner, in the proof of agreement are analyzed in 
Appendix C.l to ensure that all proof obligations have been discharged. 
Both the process and the result of checking these dependencies are part of 
what is termed the proof chain analysis. 

The verified version of Theorem 2.3.1 is given in Figure 3.7 extracted 
from the module readbounds listed at page 63 of Appendix B. 

The verified version of Theorem 2.3.2 appears in Figure 3.8 which is taken 
from the module lemma3 listed at page B of Appendix B. The expression 
*(pfa)l»] 1S an a l ternative notation for t pq since ( p ft g)[t] represents pif t l p > t' q , 
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okayClocks: function[process, process, nat — ► bool] = 

(A 

t>0 At < t\ pM[i] A correct (p, t) A correct (?, t) 
D\VC p (t)-VC q (t)\<6)) 

lemma3J5: Lemma 0 < r m j n 

A p < 6s A tt( 2 *A-b2*/?*p, <55+2* ((r mar + /?) *p -f A)) < 
A "I - 2*r maj .'A:p<C $ 

A a(6 5 + 2 * (r majC -f/?)*p + 2*A) + A + 2*/?*p<,5 
D okayClocks(p, < 7 , i) 


Figure 3.8: Skew up to ith resynchronization from module lemma3 
and q otherwise. 

The Ehdm definition of the egocentric mean function is given by icalg 
in Figure 3.9. 

The verification of the translation invariance , precision enhancement , 
and accuracy preservation properties of the egocentric mean function is pre- 
sented in Figure 3.10. The proof chain analyses for these theorems appear 
in Appendices C.2, C.3, and C.4. 
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process: Type is nat 

event: Type is nat 

time: Type is number 

Clocktime: Type is number 

/,m,n,p, 9,pi,P2,9i,92,P3,93 : Var process 

i, j, k: Var event 

x, y, z, r, s,t: Var time 

X, Y, Z, R, S, T: Var Clocktime 

fun, 7 ,^: Var function[process — * Clocktime] 

ppred, ppredl, ppred2: Var function[process — ► bool] 

sigma-size: function[function[process -» Clocktime], process -+ process] = 
( A fun, »: t) 

sigma: function[function[process -» Clocktime], process -» Clocktime] - 
( X fun, i: ( if t > 0 then fun(t - 1) + sigma(fun, i - 1) else 0 end if)) 
by sigma-size 

fix: function[Clocktime, Clocktime, Clocktime — Clocktime] = 

( A X, y, Z: ( if |y - Z\ < X then Y else Z end if)) 
iconv: function [process, function[process — ♦ Clocktime], Clocktime 
— ► Clocktime] = 

( A p, fun, Y : sigma(( A 9 : fix(Y, fun(g), fun(p))), N)) 
icalg: function [process , function[process — Clocktime], Clocktime 
— Clocktime] = ( Ap,fun, Y:iconv(p,fun,Y)/fV) 


Figure 3.9: Egocentric mean from module ica 
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ica_translation_invariance: Lemma 

N > 0 D icalg(p, ( A q : fun(<y) + X ), Y ) = icalg(p, fun, Y) + X 

icalg_precision_enhancement: Lemma 
ppred(p) A ppred(g) 

A count(ppred, N) > N — maxfaults 
A okay_pairs(funl, fun2, A r , ppred) 

A okay_Readpred(funl, Z , ppred) A okay_Readpred(fun2, Z } ppred) 
D icalg(p, funl, A) — icalg(g, fun2, A) < icalg -Pi( A, Z) 

icalg-accur acy ^preservation : Lemma 
ppred (p) A ppred(g) 

A count(ppred, N) > N — maxfaults A okay _Readpred (fun, A, ppred) 

D |icalg(p, fun, A) — fun(g)| 

< (( N — maxfaults) a X + maxfaults *(X 4- A))/N 


Figure 3.10: Properties of egocentric mean from modules ica, ica3, and ica4 
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Chapter 4 

Conclusions 


Rigorously proving the correctness of distributed protocols is an extremely 
difficult task, with or without mechanical assistance. Fault-tolerant clock 
synchronization is an excellent example of a problem where the algorithms, 
though often simple, are not at all easily verified. In such cases, it is ex- 
tremely important to have certain organizing principles which capture the 
common features of the various protocols with convincing generality. Schnei- 
der’s schema for Byzantine clock synchronization provides such principles to 
unify the presentation and proofs of a number of different protocols. Schnei- 
der starts with certain axioms constraining the behaviors of clocks, the se- 
lection of synchronization times, and the convergence functions. He uses 
these constraints to derive a bound on the skew between any two nonfaulty 
clocks. It is worth noting for the discussion below that Schneider’s work is 
described in an unpublished technical report that has not had the benefit of 
widespread examination. 

The formalization here revises a few details from Schneider’s presenta- 
tion. Schneider’s notion of a global signal to trigger resynchronization has 
been dropped because such a notion is difficult to instantiate for many pro- 
tocols. Though the quantities r max and r m i n have a different meaning from 
Schneider’s, these differences ought not to matter in any of the bounds de- 
rived. For instance, r max here bounds tj, +1 - tj,, but Schneider’s bound on 
this quantity would be r max + (3. However, the significant quantity in the 
proof is the difference <j, +1 - and the bound on this quantity is r max + (3 
in either formalization. In other words, Schneider’s bounds on <5 and 6 s 
ought to have been the same as those derived in Section 2.3.2, but there 
were certain minor errors of algebra in his proofs and some latitude in his 
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argument. The derivation we present is extremely tight, given the structure 
of the proof. Schneider’s monotonicity condition is avoided in the proofs 
here. This condition is used heavily by Schneider in his arguments, but it 
actually turns out to be false for many protocols. The statement of accuracy 
preservation is also slightly different here from that of Schneider. Schneider 
also presents the proof for the case of continuous resynchronization which is 
not handled here. 

The initial proof using Eh dm took about a month. The proof has been 
considerably revised and improved since that first effort. Verifying that 
the egocentric mean function of ICA satisfied the conditions of translation 
invariance, accuracy preservation, and precision enhancement, took about 
two weeks. The Eh DM modules are listed in Appendix B. The proof involves 
182 theorems or lemmas. A rerun of the entire proof on a SUN 3/470 takes 
3227 CPU seconds (see Appendix A). 

An early difficulty in the verification attempt was in arriving at a sat- 
isfactory formalization that suitably revised the one from Schneider. The 
proper treatment of failure proved to be a pervasive and important diffi- 
culty. Unlike other similar informal and machine-verified proofs, our for- 
malization was careful to permit processors to fail at any time. Rushby and 
von Henke [8], for example, regard processors as nonfaulty in an interval 
between synchronizations only if they have been nonfaulty for the entire 
interval. This is an adequate model for most practical purposes but it is 
less general because it does not distinguish between processors that may 
have failed at the beginning of the interval and those that failed at the very 
end of an interval. An even coarser model, and the one unwittingly used in 
most informal presentations of clock synchronization, is one where the only 
correct processors are those that never fail. In some sense, this is acceptable 
since often the only significant requirement is that a sufficient number of 
processors be nonfaulty at any given time. However, such a formalization 
allows no conclusion to be drawn regarding a processor which has yet to fail 
but does eventually fail, since it is regarded as always having been faulty. 

To illustrate the circularity lurking in the formalization of time and fail- 
ure, consider the following seemingly natural formalization of nonfaultiness 
in an interval. Suppose that a processor is described as nonfaulty for an 
interval if it functions normally through the end of the interval. Let the 
end of the interval be the time at which the nonfaulty clocks indicate a cer- 
tain reading or have performed a certain operation such as resetting their 
readings. Suppose, for example, that the end of the interval is given by the 
time t when the slowest of the “nonfaulty” clocks p reads T. Now suppose 
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that p fails exactly at t. Then clearly the end of the interval is earlier than 
t, but at any point earlier than t, processor p is nonfaulty and has yet to 
read T. This “natural” definition of the end of an interval thus yields a 
contradiction. Many similar problem arose frequently in attempting to set 
down the clock axioms. The most natural statement of these axioms often 
turned out to be either wrong or too restrictive. It is also important to ob- 
serve that these problems would never have been noticed in most informal 
presentations since these details, though important, would have been largely 
ignored. 

The most useful features of Ehdm for this verification were the decision 
procedures for linear integer and real inequalities and equalities. The in- 
formal proof is of course replete with long chains of inequality reasoning, 
and the decision procedures handled those steps in a fairly mechanical man- 
ner. The higher-order features of the language were also used to formalize 
the conditions of translation invariance, precision enhancement, and accu- 
racy preservation, but these were not essential. These could have also been 
formalized in terms of lists or finite arrays. The language of Ehdm under- 
went a number of improvements during this project, and not all of these 
improvements have been exploited in this proof. The use of predicate sub- 
types would have permitted the introduction of types corresponding to the 
non-negative and the positive numbers. 

Fault-tolerant distributed protocols are sufficiently delicate to warrant 
careful, formal, mechanized analysis. Schneider’s presentation of Byzantine 
fault-tolerant clock synchronization protocols provides a valuable mathemat- 
ical framework for such an analysis. The machine- checked proof of Schnei- 
der’s protocol led to a more precise formulation of the protocol and a more 
closely reasoned proof. It is inconceivable that the same degree of logical 
rigor and accuracy could be achieved without computational assistance. 
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Appendix A 

Proof Summary 


The proof summary is the result of executing a command to attempt to 
prove all the proof declarations in the context. The only failures are in the 
automatically generated proof declarations for the type correctness condi- 
tions (tcc). The time given below is the running time on a SUN 3/470. 

Proof summaries for modules on using chain of module top 

Proof summaries for modules on using chain of module top 


Module 

division.tcc : 

7 

successful 

proofs. 

0 failures. 

0 

errors 

Module 

tcc.proof s_tcc : 

2 

successful 

proof 8 , 

1 failure. 

0 

errors 

Module 

ica3_tcc: 

0 

successful 

proofs , 

3 failures, 

0 

errors 

Module 

ica4_tcc: 

0 

successful 

proofs. 

2 failures. 

0 

errors 

Module 

ica_tcc : 

1 

successful 

proof , 

2 failures. 

0 

errors 

Module 

lemma_f inal_tcc : 

0 

successful 

proofs. 

5 failures, 

0 

errors 

Module 

countmod_tcc : 

3 

successful 

proofs , 

2 failures. 

0 

errors 

Module 

tcc_proof s : 

14 

successful 

proofs , 

0 failures. 

0 

errors 

Module 

ica3 : 

8 

successful 

proofs , 

0 failures. 

0 

errors 

Module 

ica2 : 

20 

successful 

proofs , 

0 failures , 

0 

errors 

Module 

ica: 

6 

successful 

proofs , 

0 failures, 

0 

errors 

Module 

ica4 : 

8 

successful 

proofs , 

0 failures. 

0 

errors 

Module 

basics : 

25 

successful 

proofs , 

0 failures. 

0 

errors 

Module 

readbounds : 

12 

successful 

proofs , 

0 failures. 

0 

errors 

Module 

lemma3 : 

24 

successful 

proofs , 

0 failures, 

0 

errors 

Module 

countmod : 

no 

proofs 





Module 

clockassumptions : 

9 

successful 

proofs , 

0 failures, 

0 

errors 

Module 

lemma_f inal : 

5 

successful 

proofs , 

0 failures. 

0 

errors 

Module 

absmod: 

15 

successful 

proofs , 

0 failures. 

0 

errors 

Module 

division: 

11 

successful 

proofs , 

0 failures, 

0 

errors 
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Module multiplication : 11 successful proofs, 0 failures, 0 errors 

Module arith: no proofs 

Module top: 1 successful proof, 0 failures, 0 errors 

Totals: 182 successful proofs, 15 failures, 0 errors 

Total time: 3227 seconds. 
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Appendix B 

The Complete Ehdm Proof 


Note that the modules ending with Jtcc are automatically generated during 
type checking. The proofs declared in these modules may not succeed, but 
all the automatically generated theorems have been proved as illustrated by 
the completeness of the proof chain analyses in Appendix C. 
multiplication: Module 

Exporting all 

Theory 

x>y>z,xi i yuZi } x 2 i y2,Z2 : Var number 

★1 ★* 2 : function[number, number — ► number] = ( A x,y:(x * y)) 

mult Jdistrib: Lemma x ★ (y + z) = x*y + x*z 

mult Jdistrib .minus: Lemma x ★ (y — z) = x ★ y — x * z 

mult jrident: Lemma x ★ 1 = x 

mult Jident: Lemma 1 ★ x = x 

distrib: Lemma (x + y )*2 = x*z + y*2 

distrib-minus: Lemma (x — y)*z = x*z — y*z 

multmon_neg: Axiom ((x >0Ay>0)V(x<0Ay< 0)) O x ★ y > 0 

mult 4 >os: Axiom ((x >0Ay>0)V(x<0Ay< 0)) <=> x * y > 0 

mult_.com: Lemma x ★ y = y * x 

pos.product: Lemma x>0Ay>03x*y>0 
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multJeq: Lemma :>OAx>yDj:*:>t/*: 
mult Jeq_2: Lemma : > 0 A x > y D z ★ x > z ★ y 
mult JO: Axiom 0 ★ x = 0 
mult_gt: Lemma z>OAx>yDx*z>y*z 

Proof 

mult^gt.pr: Prove mult^gt from 

mult-pos {x <— x — y, y <— z}, distrib_minus 

distrib_minus_pr: Prove distrib_minus from 
multJdistrib-minus {x <— z, y <— x, z 4— y}, 
mult.com {x < — x — y, y <— z}, 
mult.com {y z}, 
mult.com {x * — y, y <— z} 

mult Jeq_2.pr: Prove mult Jeq_2 from 

multJdistrib-minus {x z, y ♦— x, z +— y}, 
mult„non_neg {x +— z, y <— x — y} 

multJeq.pr: Prove multJeq from 

distrib_minus, multmon_neg {x <— x — y, y <— z} 

mult_com.pr: Prove mult.com from *1 **2 , *1 **2 {x <— y, 

pos.product.pr: Prove pos.product from multaion_neg 

multj-ident.proof: Prove mult.rident from *1 **2 {y <— 1} 

multJident.proof: Prove multJident from *1**2 {x <— 1, y 

distrib.proof: Prove distrib from 
★1 **-2 {x <- x + y, y<- z}, 

★1 **2 {y z}, 

★1 **2 {x <— y, y z} 

mult Jdistrib.proof: Prove mult Jdistrib from 

★1 **2 {y «— y + z, x « — x} , *1 ★ *2 , *1 **2 {y 4 — z} 

mult Jdistrib_minus_proof: Prove multJdistrib_minus from 
★1 **2 {y <— y — z, x < — x}, *1 **2 , *1 **2 {y <— z} 

End multiplication 
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absmod: Module 
Using multiplication 

Exporting all 
Theory 

x, y, z, xi, 2/i, zi, ar 2 , t/2? ^2 : Var number 
| * 1 1 : Definition function[number — ► number] = 

( A x: ( if x < 0 then - x else x end if)) 

abs_main: Lemma \x\ < z 3 (x < z V — x < z) 

absJeq.O: Lemma \x — y| < z 3 (x — y) < z 

abs.diff: Lemma \x — y| < z 3 ((x — y) < z V (y — x) < z) 

absJeq: Lemma |x| < z 3 (x < z V — x < z) 

abs.bnd: Lemma 0<zAO<xAx<zAO<yAy<z3 |x — y| < z 

abs.l.bnd: Lemma |x-y|<z3x<y+z 

abs_2_bnd: Lemma |x-y|<z3x>y — z 

abs_3_bnd: Lemma x<y+zAx>y — z3|x — y|<z 

abs.drift: Lemma |x — y| < z A |xi - x| < z\ 3 |xi — y| < z + z\ 

abs.com: Lemma |x - y| = |y - x| 

abs.drift.2: Lemma 

\x - y| < z A |xi - x| < zi A |yi - y\ < z 2 D |xi — yi | < z + + z 2 

abs_geq: Lemma x > y A y > 0 3 |x| > |y| 
abs.geO: Lemma x > 0 3 |x| = x 
abs_plus: Lemma \x + y\ < |x| 4* |y| 
abs_difL3: Lemma x — y<zAy — x<z3|x — y|<z 
Proof 

abs_plus_pr: Prove abs_plus from | ★ 1| {x<-x + y}, | ★ 1| , | * 1| {x <— y} 
abs.diff_3.pr: Prove abs_diff_3 from | * 1| {x x - y) 
abs.geO .proof: Prove abs.geO from | ★ 1| 
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abs.geq.proof: Prove abs_geq from | ★ 1| , | ★ 1| {x <— y} 

abs_drift_2_proof: Prove abs_drift_2 from 
abs.drift, 

abs.drift {x y, y <- y u z <— z 2) z\ <— 2 + *i}, 
abs.com {x yi } 

abs.com.proof: Prove abs.com from | ★ 1| {x +— (x — y)}, | * 1| {x<-(y- x)} 
abs.drift.proof: Prove abs.drift from 


abs.l.bnd, 




abs.l.bnd {x 

*1, 

U — z «- 


abs_2_bnd, 




abs_2.bnd {x 


y x } z 

* 1 }. 

abs.3.bnd {x 

— * 1 , 

Z +- 2 + Z X } 



abs_3_bnd_proof: Prove abs_3_bnd from | ★ 1| {x <— (x — y)} 
abs .main .proof: Prove abs_main from | * 1| 
absJeq.0.proof: Prove abs.leq.O from | ★ 1| {x <— x — y] 
abs.diff.proof: Prove abs.diflf from | * 1| {x <— (x — y)} 
abs_leq_proof: Prove absJeq from | ★ 1| 
abs.bnd.proof: Prove abs.bnd from | * 1| {x (x — y)} 
abs.l.bnd.proof: Prove abs.l.bnd from | * 1| {x <— (x — y)} 
abs_2.bnd.proof: Prove abs_2_bnd from | * 1| {x <— (x — y)} 
End absmod 
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division: Module 
Using multiplication, absmod 

Exporting all 
Theory 

x } y,z y xi,yi, 2 i,X 2 ,S/ 2 , 22 * Var number 
[★1]: functionfnumber — + int] 

ceiLdefn: Axiom \x] > x A \x] — 1 < x 

mult_div_l : Axiom z ^ 0 D x ★ y/z = x ★ (y/ z) 

mult_div_2: Axiom z^0Dx*y/z = (x/z) *y 

mult_div_3: Axiom z/OD ( z/z ) = 1 

mult_div: Lemma y ^ 0 D (x/y) ■* y = x 

div.cancel: Lemma x ^ 0 D x ★y/x = y 

div.distrib: Lemma z^OD ((x + y)/z) = (x/z) + (y/z) 

ceil_mult_div: Lemma y > 0 D [x/y] *y > x 

ceil_plusjmult_div: Lemma y > 0 D [x / y] + 1 *y > x 

div_nonnegative: Lemma x>0Ay>0D (x/y) > 0 

div_minus_distrib: Lemma z ^ 0 D (x — y)/z = (x/z) — (y/z) 

div_ineq: Lemma z>0Ax<yD ( x/z ) < (y/z) 

abs^div: Lemma y > 0 D \x/y\ = |x|/y 

mult_minus: Lemma y/OD —(x/y) = (—x/y) 

div_minus.l: Lemma y > OAx < 0 D ( x/y ) < 0 

Proof 

div_nonnegative_pr: Prove div_nonnegative from 

mult_non_neg {x <— ( if y ^ 0 then (x/y) else 0 end if)}, mult_div 
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di v_distrib_pr: Prove div-distrib from 
mult-div_l {x <— x + y, y <— 1, z <— z}, 
mult-rident {a: <— x + y }, 
mult_divj. {x <— x, y <— 1, z <— z }, 
mult-rident, 

mult_div_l {x <— y, y <- 1, 2 <- z}, 
mult-rident {x <— y}, 

distrib {z *— ( if z ^ 0 then (1/z) else 0 end if)} 

div-cancel.pr: Prove div.cancel from 
mult_div_2 {z +— x}, mult_div_3 {z <— x}, multJident {x <— y} 

multjdiv-pr: Prove mult_div from 

mult_div_2 {z < y}, mult_div_l {z < — y}, mult_div-3 {z < — y}, mult_rident 

abs_div_pr: Prove abs.div from 

I * 1| { x ( if V / 0 then (x/y) else 0 end if)}, 

I* 1 !, 

div_nonnegative, 

div_minus_l, 

mult-minus 

mult-minus_pr: Prove mult_minus from 

mult-div-1 {x * 1, z <— y}, 

★1 **2 {x < 1, y x}, 

★1 **2 {x ♦ 1, y <— ( if y ^ 0 then (x/y) else 1 end if)} 

div_minus_l_pr: Prove div_minus_l from 
mult_div, 

pos-product {x < ( ify^O then (x/y) else 0 end if), y <- y} 

div-minus-distrib_pr: Prove div_minus_distrib from 
div-distrib {y < y}, mult_minus {x <— y, y <— z] 

divJneq.pr: Prove divJneq from 
mult.div {y <— z}, 
mult-div {x <— y, y <— z}, 
mult-.gt 

{x <— ( if z ^ 0 then ( x/z ) else 0 end if), 

V ( if 2 ^ 0 then (y/z) else 0 end if)} 
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ceil_plus_mult_div_proof: Prove ceil_plus_mult_div from 
ceil_mult-div, 
distrib 

{x [( if y 0 then ( x/y ) else 0 end if)], 

y+-h 

* y}> 

multJident {x <— y} 


ceil_mult_div_proof: Prove ceil_mult_div from 
mult_div, 
multJeq 

{x <— [( if y 7^ 0 then (x/y) else 0 end if)], 
y <— ( if y ^ 0 then (x/y) else 0 end if), 

ceiLdefn {x <— ( if y ^ 0 then {x/y) else 0 end if)} 


End division 
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divisionJxc: Module 

Using division 

Exporting all with division 

Theory 

x: Var number 
y : Var number 
z: Var number 

mult.div.l.TCCl: Formula (z 0) D (z ^ 0) 
mult_div_TCCl: Formula (y ^ 0) D (y 0) 
div.cancel.TCCl: Formula (x ± 0) D (x ^ 0) 
ceil_mult_div_TCCl: Formula (y > 0) D (y ^ 0) 
div_nonnegative_TCCl: Formula (x > 0 A y > 0) D (y ^ 0) 
divineq.TCCl: Formula (z > 0 A x < y) 3 (z ^ 0) 
div_minus_l_TCCl: Formula (y > 0 A x < 0) D (y ^ 0) 
Proof 

mult -div_l_TCCl_PROOF: Prove mult.div_l.TCCl 
mult -div_TCCl_PROOF: Prove mult.div.TCCl 
div.cancel.TCCl J’ROOF: Prove div.cancel.TCCl 
ceil_mult-div_TCCl_PROOF : Prove ceil_mult.div_TCCl 
div_nonnegative_TCCl -PROOF: Prove div_nonnegative_TCCl 
div Jneq.TCCl.PROOF : Prove divJneq.TCCl 
div jninus.l.TCCl.PROOF : Prove div_minus.l_TCCl 
End division.tcc 
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arith: Module 

Using multiplication, division, absmod 
Exporting all with multiplication, division, absmod 

End arith 


48 



countmod: Module 
Exporting all 
Theory 


m, n, p, g,Pi,P 2 ,?i,? 2 >P 3 ,? 3 : Var nat 
i } j, k: Var nat 
x, y, z, r, s, f : Var number 
X, Y, Z: Var number 

ppred, ppredl, ppred2: Var functionfnat — ► bool] 
fun, funl, fun2: Var functionfnat —► number] 

countsize: functionffunctionfnat — ► bool], nat — ► nat] = ( X ppred, i: i) 
count: Recursive function[function[nat — ► bool], nat — + nat] = 

( X ppred, i: ( if * > 0 

then ( if ppred(i — 1) 

then 1 4* (count(ppred, i — 1)) 
else count (ppred, i — 1) 
end if) 

else 0 

end if)) by countsize 
End countmod 
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count mocLtcc: Module 
Using countmod 
Exporting all with countmod 
Theory 

i : Var naturalnumber 

ppred: Var functionfnaturalnumber — + boolean] 
count-TCCl: Formula (i > 0) D (* — 1 > 0) 
count_TCC2: Formula (ppred(i — 1)) A (i > 0) D (i — 1 > 0) 
count_TCC3: Formula (-i(ppred(i — 1))) A (i > 0) D (i — 1 > 0) 
count_TCC4: Formula 

(ppred (i - 1)) A (i > 0) D countsize(ppred, i) > countsize(ppred, i - 1) 
count_TCC5: Formula 

(-.(ppred(i - 1))) A (i > 0) D countsize(ppred, i) > countsize(ppred, i - 1) 

Proof 

count.TCCl-PROOF : Prove count.TCCl 
count JTCC2.P ROOF: Prove count.TCC2 
count_TCC3_PROOF: Prove count_TCC3 
count_TCC4 -PROOF : Prove count-TCC4 
count_TCC5_PROOF : Prove count_TCC5 
End countmod_tcc 


50 


clockassumptions: Module 
Using arith, countmod 
Exporting all with countmod, arith 
Theory 

process: Type is nat 

event: Type is nat 

time: Type is number 

Clocktime: Type is number 

l>m t n,p i q i pi i p2 J quq2,P3>q3‘- Var process 

iyjyk: Var event 

x, y, z , r, s, t: Var time 

X ) y, Z, R^SyT: Var Clocktime 

7,0: Var function[process — ♦ Clocktime] 

Ab Pi r min, r majPj /?, A: number 
PC*i(*2), yC’*x(*2): function[process, time — ► Clocktime] 

<If: function [process, event — ♦ time] 

©If: function [process, event — ► function[process — ► Clocktime]] 

/Clf(*3) : function [process, event, time — ► Clocktime] 
correct: function [process, time — * bool] 

cfn : function [process , function [process — ► Clocktime] — ► Clocktime] 

7r: function[Clocktime, Clocktime — * Clocktime] 
a: function[Clocktime — » Clocktime] 

delta _0: Axiom 6 > 0 

mu_0: Axiom p > 0 

rho_0: Axiom P > 0 

rho.l: Axiom p < 1 

rminD: Axiom r min > 0 

rmax_0: Axiom r max > 0 

beta_0: Axiom /? > 0 

lambJD: Axiom A > 0 

init: Axiom correct(p,0) 3 PC,>(0) > 0 A PC p { 0) < p 

correct.closed: Axiom s > t A correct (p, 5 ) 3 correct (p, <) 

rate_l: Axiom correct(p, s) A s > t 3 PC p (» - PC p (t) < (s - t) ★ (1 + p) 
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rate_2: Axiom correct(p, s) A s > t D PC p (s) — PC p (t) > (s — t) ★ (1 p) 

rtsO: Axiom correct (p,f) A t < tp+* D t — tp < r max 

rtsl: Axiom correct(p, t) A t > <p +1 D < — <p > r min 

rts.O: Lemma correct (p, ip +1 ) D ^p +1 — < r mai 

rts_l: Lemma correct (p, JJ+ 1 ) D fp +1 — t p > r m$n 

rts2: Axiom correct(p,<) A t > V q 4* A correct(g,t) D t 

rts_2: Axiom correct(p, <p) A correct(g, <* ? ) D t l p - t' q < /? 

synctime-O: Axiom t p = 0 

VClock_defn: Axiom 

correct(p, <) A t > t p A t < tp +1 D V' C p (<) = /Cp(<) 

Adj: function[process, event — ► Clocktime] = 

( A p, i: ( if i > 0 then c/n(p, 0*,) - PC p (t* ) else 0 end if)) 

IClock.defn: Axiom correct (p,<) D IC p (t) = PC p (t) + Adj(p,i) 

Readerror: Axiom correct (p, <J, + 1 ) A correct (g, <p +1 ) 

Dl©‘ +1 ?)-/c;(t‘ +1 )|<A 

translationJnvariance: Axiom 

X >0 D c/n(p, ( A pi — ► Clocktime: 7(pi) + X)) = c/n(p, 7) + X 

ppred: Var function[process — ► bool] 
maxfaults: process 

okay Jleadpred : function[function[process — ► Clocktime] , Clocktime, 

function [process — + bool] — ► bool] = 

( A7,y,ppred:(V/,m:ppred(/) Appred(m) D |t(0 "TMI < Y )) 
okay^airs: function [function[process — ► Clocktime], 

function[process — ► Clocktime], Clocktime, 
function [process — ► bool] — * bool] = 

( A7,0,X,ppred:(Vp 3 :ppred(p 3 ) D |7(Pa) - ®(P3)I < X)) 

N: process 

N_0: Axiom N > 0 

N_maxfaults: Axiom maxfaults < N 
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precision_enhancement_ax: Axiom 
count(ppred, N) > N — maxfaults 
A okay_Readpred(7, Y, ppred) 

A okay_Readpred( 0 , Y, ppred) 

A okay_pairs(7, 6 , X , ppred) A ppred(p) A ppred(g) 

3 l c / n (P> 7 ) - cfn(q, 0 ) | < jr(X,y) 

correct.count: Axiom count(( A p: correct(p, f)), N) > N — maxfaults 

okay .Reading: function[function [process — ► Clocktime], Clocktime, time 

— ► bool] = 

( A 7, Y 9 t:(Vpi f qi: 

correct(pi , t) A correct^ , t) D | 7 (f>i) - 7 (fli)l < Y)) 
okay .Read vars: function [function[process — + Clocktime], 

function[process — ► Clocktime], Clocktime, Clocktime 
— ► bool] = 

( A 7,0, A, ^(Vp 3 : correct (p 3 ,*) D (7(^3) - 0 (p 3 ) \ < X)) 

okay Jleadpred.Reading: Lemma 

okay -Reading^, Y, t) D okay_Readpred(7, Y, (A p: correct(p, <))) 

okay .pairs.Read vars: Lemma 

okay -Read vars (7, 0 , A, t) 3 okay_pairs(7, A A , ( A p: correct(p, <))) 

precision-enhancement: Lemma 
okay-Reading(7, Y } t J+ 1 ) 

A okay -Reading(#, Y, tj* 1 ) 

A okay_Readvars(7, 0 , ) 

A correct (p,tj, +1 ) A correct (q, /J+ 1 ) 

D \cfn(p, 7) - c/n($, 0 )| < jr(X,V) 

okay .Read ing.defn Jr: Lemma 
okay _Reading(7, Y, <) 

3 (V pi, gi: correct (p!,<) A correct^.t) D ^(p,) - T ( 9l )| < y) 

okay_Reading_defn_rl: Lemma 

(Vpi,(?i:correct(pi,<) A correct (?i, <) 3 (7^) - y(qi)\ < Y) 

3 okay_Reading(7, Y, t) 

okay_Readvars_defnJr: Lemma 

okay .Read vars(7, 0 , X,t) 3 ( V p 3 : correct (p 3 , t) 3 \y(p 3 ) - 0 (p 3 ) | < X) 
okay Jlead vars .defn_rl: Lemma 

( Vp 3 : correct (p 3 ,f) 3 (7(^3) - #(P3)| < X) 3 okay_Readvars(7, 6 , X, t) 
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accuracy _preservation_ax: Axiom 
okay _Readpred( 7 , X , ppred) 

A count(ppred, N) > N - maxfaults A ppred(p) A ppred(?) 

D \cfn(p t y) - 7(9)1 < <*(X) 

Proof 

okay_Reading_defn_rLpr: Prove 

okay_Reading-defn-rl { Pl <- piOPIS, qi <- ?i@P 1S} from okayJleading 

okay Jleading-defnJr.pr: Prove okay -Reading.defnJr from 
okayJleading {pi pi@CS, q\ *— gi@CS) 

okayJleadvars_defn_rLpr: Prove okay Jleadvars-defn_rl {p 3 <— P3@ PIS} from 
okayJleadvars 

okay JLead vars-defn J r_p r : Prove okay -Read vars-defn Jr from 
okayJleadvars {p 3 p 3 @CS} 

precision-enhancement.pr: Prove precision-enhancement from 
precision-enhancement _ax {ppred <— ( A q: correct (q Jp +1 ))}, 
okay -Readpred-Reading {t <— 
okayJleadpred.Reading {t <— t l p +1 , 7 <— #}, 
okay .pairs Jleadvars {t <— tp +1 }, 
correct-count {t «— <p +1 } 

okay -Readpred-Reading-pr: Prove okay -Readpred-Reading from 
okay-Readpred {ppred «— ( A p: correct(p, <))}, 
okayJleading {pi <— 1@P1S, 91 «- m@P15} 

okay_pairs_Readvars_pr: Prove okay_pairs_Readvars from 

okay-pairs {ppred <- ( A p: correct (p, t))}, okayJleadvars {p 3 <- p 3 @PlS} 

rts-0-proof: Prove rts.O from rtsO {< <— 

rts_l_proof: Prove rts.l from rtsl { t <— } 

End clockassumptions 
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basics: Module 
Using clockassumptions, arith 
Exporting all with clockassumptions 
Theory 

fS ?>PiiP2, <?i, <?2, /, m, n: Var process 
k : Var event 
x, y, z : Var number 
r > s >Mij* 2* Var time 
X, Y, Z, R, S f T, T\, T 2 : Var Clocktime 
7, 9: Var function [process — ► time] 

(★1 ft*2)[*3]: Definition function [process, process, event — ► process] = 

( A P, g, i : ( if f* > t x q then p else q end if)) 

maxsync-correct: Lemma correct(p, s) A correct^, s) D correct((p ft q)[{\ t s ) 

minsync: Definition function [process, process, event — ► process] — 

( A Pt g, i: ( if t* p > V q then q else p end if)) 

minsync-correct: Lemma correct(p, s) A correct (g, s) D correct((p ft g)[i], 5 ) 

minsync jnaxsync: Lemma <^ f)W < 

■ Definition function [process, process, event — ► time] = 

lemma_l: Lemma correct(p, t' p ) A correct (9, t* +1 ) A /? < r m ._ 

-1 /* < y>+i 

P — l q 

lemma_Ll: Lemma correct(p, t i+l ) A correct( 9 , <*+ 1 ) A 0 < r min 
-> (* < y'+l ~ 

lemmaJJ: Lemma correct(p, <J, +1 ) A correct^, <*’ ) 

3<‘ +1 <<’ + r mal+ /3 ' 

lemma-2.0: Lemma correct(p, 0) A correct^, 0) D |/C°(0) - 7C°(0)| < p 

lemma^.l: Lemma correct(g, <* +1 ) 

D IC i + 1 (t i + 1 ) = c / n ( 9)0 i+i) 

lemma.2_2a: Lemma 

correct (9, s) A « > ( D IC\ (s) < /C* (<) + (a - <) * (1 + />) 
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lemma.2 -2b: Lemma 
correct (q, s) A s > t D 


JC’(s)> IC\(t) + -p) 


abs-shift: Lemma |r — s| < * 

A <1 <r+y + zAti >r + y- 
D |ti ~h\ <x + 2*z 


z /\t 2 < s + y + z > s + V ~ 


Z 


ReadClock-bndl: Lemma 

correct(p,tj, + 1 ) A correct(g, t' p +l ) 

d0; +i 9)<^(*; +1 )+ a 


ReadClock_bnd2: Lemma 

correct (p , tp +1 ) A correct(g,t p + ) 

D ©j, +1 9) > ^•(t*,+ 1 ) - A 

ReadClock-bndl 1: Lemma 

correct (p, A correct(<?,^ +1 ) A correct (pi,t pi ) r min 

D 0p +1 <?) < ^(‘p. ) + (*p + 1 _t P. )+ (rmox + ^ * P + A 
ReadClock_bndl2: Lemma 

correct (p,*^ 1 ) A correct («, V p +l ) A correct (pi.t},,) Mi < r min 

d ef'q) > + (<‘ +1 - ^,) - ( r -* + P)*p~ A 

ReadClock.bnd: Lemma 
correct(p, tj, + 1 ) 

A correct(g,tp +1 ) 

A correct(yi,tp +1 ) 

A )~ * X ? Pfntfl 

D |0p +1 g) - 0p +1 9i)l < X 4- 2 * ((r ma r + /?) * P + 

okay -Reading jshift 1 : Lemma 
correct(pi ,s)As> 

A ^ T’mtn 

A( V P,? : . • , 

correct(p, tp ? ) A correct (q, 

D okay_Reading(0p'| 1 , X + 2 * ((r mar 4* /?) * P + A), s) 
okay -Read vars jshift jstep: Lemma 

s > ti - yAs < <i + y 

a t > t2 - y At < t 2 + y a o < <2 - *i A <2 - *i < x 

D \s + z-t\ <2 *y + x 
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okay -Read varsjshift_stepb: Lemma 
s>ti-yAs<ti+y 

At > t 2 — i/A^ < b + J/A0 < b - t\ A t >2 — ti < x 
D\s-t\<2*y + x 

okayJleadvarsjshiftjstepl: Lemma 

\s - ti | < y A \t - t 2 \ < y A 0 < t 2 - t\ A t 2 - ti < x 
D |s -f z — t \ <2*y+ x 

okay .Read varsjshiftjstep2: Lemma 

— <i| < t/A — <2| < 2/AO < A^2 — < £ 

D — t\ < 2 * y + x 

okay_Readvars_shiftll: Lemma 
correct (p, tj 41 ) 

A correct^, tj 41 ) A correct (pi, tj 41 ) A fp 41 > V q +1 

d e; + Vi) + (pc,^ 1 ) - pc,(<*+ 1 )) - ©p +1 pi) 

< 2*A + 2*/?*p 

okay_Readvars_shiftl2: Lemma 
correct (p, tj 41 ) 

A correct (q } tj 41 ) A correct(pi , tj 41 ) A fj 41 > t^ 41 

D ©* +1 Pl ) - (©’ ? +1 Pi) + (• PC 9 (t *+>) - PC q (V+'))) 

< 2*A + 2*£*p 

okay_Readvars_shiftl: Lemma 
correct (p, fj 41 ) 

A correct^, tj 41 ) A correct (p! , ^ +1 ) A tj 41 > ^ +1 

3 |0^ +1 pi) - (e’ +1 Pl ) + ( pc q (t'+ ') - pc q (t '+ 1 ))) | 

< 2*A + 2*/?*p 

okay_Readvars_shift2: Lemma 
correct (p, tj 41 ) 

A correct (g, t^ 1 ) A t > V+ 1 A t'+ l > fj 41 
D okay_Readvars(0p +1 , ©* 9 41 , 2 * A -j- 2 * j3 * p,t) 

okay_Readvarsjshift: Lemma 

t > fj 41 A correct(p, t) A correct^, t) A fj 41 > t* 41 
D okay -Read vars(0p 41 , 

( A pi — *■ time: 

©■ +1 Pi) + (PC 9 (<’+ 1 )-PC,(«*+ 1 ))), 
2* A + 2*/?*p, 

o 

Proof 
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maxsync_correct_pr: Prove maxsync .correct from (*1 ft *2)[*3] 

minsync_correct_pr: Prove minsync.correct from minsync 

minsync_maxsync-pr: Prove minsync-maxsync from minsync, (*1 ft *2)[*3] 

okay_Reading_shiftl .proof: Prove 

okay -Reading jshiftl {p +— pi@PlS, q <— qi@PlS} from 
okay_Reading-defn_rl 
{7 «- ©pi 1 , 

Y <— X + 2 * ((r max + /?) ★ p - f A), 

t +- «}, 

ReadClock_bnd {p ♦— pi, ? pi@PlS, +- gi@PlS}, 

<I? f *a {p<-Pi@PlS, *<- 9 i@PlS}, 

maxsync_correct {p pi@PlS, 9 <— gi@PlS, s <— tpl 1 }, 
correct-closed {p <— pi@PlS, t <— ^pl 1 }, 
correct-closed {p <— <?i@P 1S, t <— tpl 1 }, 
correct-closed {p pi@P!S, t <— tp >q , s +— 
correct .closed {p <— gi@PlS, t <— s ^pl 1 }, 

correct-closed {p ♦— Pi, t ^pl 1 }, 
lemma-1-1 {<7 «— pi, p ♦- (pit* $)[*]} 

Read Clock.bnd -proof: Prove ReadClock_bnd from 
ReadClock.bndll {pi (g It <?i)[t]}, 

ReadClock_bndl2 {p\ *— (q ft <7i)[tj}, 

ReadClock.bnd 1 1 {q qu Pi <- {q ft 9i)[t]}, 

ReadClock_bndl2 <— qi, pi <— (q ft qi)[i]}, 
lemma-1-1 {p +- {q ft q *- p} , 

correct-closed 
{P <- {q ft 9i)[i], 

5 «- <p +1 , 

absjshift 

{r <- 

<1 ^©p +1 9), 

<2 *— ©p^^l), 

2 * “f* * p A, 

Z <- X}, 

<£l,*2 {p — 9. «*“«i }. 

maxsync.correct {p <— 9, 9 *— 91, s <— <p +1 } 
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ReadClock_bndll_proof: Prove ReadClock.bndl 1 from 
ReadClock.bndl, 
lemma_2_2a {s <— t l p +1 , t <— V pi }, 
lemma_l_2 {q <— p : }, 
lemmaJ. {<7 <— p, p «— pi}, 
mult Jdistrib {x <— t'* 1 - t * pi , y <— 1, 2 p} } 

multJeq {x <- r max + /?, y «- 1 - t* t , 2 <- p}, 

mult_rident {x <— <* +1 — }, 

rho_0 

ReadClock_bndl2_proof: Prove ReadClock_bndl2 from 
ReadClock.bnd2 , 
lemma_2_2b {5 4 — t£+ ! , t <— }, 

lemmaJ_2 {<? <— pi}, 
lemmaJ {<7 4 — p ) p <— pi}, 

multJdistribjminus {x <— t p +l — t % , « — 1 , z *— p}, 

multJeq {x 4 - r mar + /?, y — t J+ 1 - f * t , 2 4 - p} , 
multj*ident {x 4 — /J + 1 — 
rho.O 

ReadClockJbndl _proof: Prove ReadClock.bndl from 
Readerror, | ★ 1| {x <- 0*+ *$) - IC^t** 1 )} 

ReadClock.bnd2_proof: Prove ReadClock_bnd2 from 
Readerror, | ★ 1| {x 4 - Q'+'q) - JC* (tj* 1 )} 

okay -Read varsjshiftjstepl.proof: Prove okay_Readvarsjshift_stepl from 
okay .Read vars-shiftjstep, | ★ 1| {x <— 5 - *i}, | * 1| {x <— t - t 2 } 

okay_Readvars_shiftjstep2_proof: Prove okay_Readvars_shift_step2 from 
okayJleadvarsjshiftjstepb, | ★ 1| {x <— 5 - * 1 }, | ★ 1| {x <— t — * 2 } 

okayJleadvarsjshiftl 1 .proof: Prove okayJleadvarsjshift.il from 


ReadClock.bnd2 {<7 + _p 1 } j 



ReadClock.bndl {p 4 - q, q 

*-p 1 }, 


correct-closed {5 <— t l p +1 , t 

-n +i . 

p — Pi}. 

correct-closed {s4-l‘ +l , t 

-e 1 , 

p ♦- ?}, 

lemma_2_2b {q <— p\ } s <— t 

n- 

T 


rate-1 { s *- t‘ p +1 , t <- <* +1 , p «- q }, 
multJdistrib_minus {x < — <J, +1 — <^ +1 , y +— 1, z «— p}, 
mult Jdistrib {x <— tj, +1 - t'+ l , y <— 1, z <— p}, 
multJeq {x <- /?, y <- tj, +1 - ^ +1 , z «- p), 
rts.2 {i <— i + 1}, 
rho.O 
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okay_Readvars_shift 12-proof: Prove okay JFteadvars-shiftl2 from 
ReadClock.bndl {q « — pi } ? 

ReadClock_bnd2 {p <— q, q +— pi}, 

correct-closed {s <— tp +1 , t «— tj +1 , P <— Pi}, 

correct-closed {s «— , P <— <?}, 

lemma_2-2a {<? *— Pi , 5 <— tj* 1 , t +~ 

rate_2 {s — tj+ l , < p«-?}, 

mult Jdistrib_rninus {x <— *J, + 1 — ** +1 , y <— 1, 2 «— p}, 

multJdistrib {x <— t l + l — P ? +1 , y <— 1, 2 <— p}, 

multJeq {x <— /?, y <— tj* 1 - t* g +1 , 2 <— p}, 

rts_2 { f ^ — i + 1 } , 

rho.O 

okay .Read varsjshiftl -proof: Prove okay .Read varsjshiftl from 
okay-Read vars jshift 1 1 , 
okay -Read varsjshift 1 2 , 
abs-diff_3 

{y - ©* ? +1 Pi) + (PC q (ti, +1 ) - PC,(t* +1 )), 
x <- 0p +1 pi), 
z 4 — 2*A + 2*/3*p} 

okay-Readvars-shift_step-proof: Prove okay -Read varsjshiftjstep from 
| * 1| {x + — s -i~ x — ^ } 

okay -Readvars-shiftjstepb-proof: Prove okay_Readvarsjshiftjstepb from 
| ★ 1| {x <— s - t), | ★ 1| {x 4— tl — t\} 

okayJleadvars-shift_proof: Prove okay .Read varsjshift from 
okay -Read vars_shiftl {pi <—p3@P2S}, 
okay -Read vars_defn_rl 

{0 \ Pi —+ time: ©i+Vi) + PC q (t \ * +1 ) - PC q (*‘ +1 )), 

y <_ 0 ,+1 , 

X <—2*A + 2*/?*p}, 
correct-closed {s <— t } t <— <p +1 }, 
correct-closed {p ♦— <7, s +— t, < «— <p +1 }, 
correct-closed {p <— p 3 @P 2 S, 5 «— t 4 — tp* 1 } 

lemmaJ. .proof: Prove lemma-1 from 
rts.l {p <- q), 
rts.2, 
rmin_0, 

correct-closed {p <— <7, s «— < g +1 , < <— t l q } 
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lemma-1 _2_proof: Prove lemmaJ _2 from 
rts- 0 , 
rts_l, 
rts- 2 , 
rmin_ 0 , 

correct-closed {s <— t *—t l p } 

lemma_2-0_proof: Prove lemma_2_0 from 
synctime.O, 
synctime.O {p 4 — <?}, 

IClock_defn {p <— q, i 4 — 0, t 4 — 0}, 

IClock.defn {z <— 0, t *— 0}, 

Adj {i «- 0, p*- q}, 

Adj {i «- 0}, 
init {p «- q), 
init , 

rts-l {p *-q, i — 0 }, 
rts_l {t 4 — 0 }, 
rmin- 0 , 
mu_ 0 , 

abs_bnd {* <- IC° p (t°), y <- lC° q {t° p ), z +- p) 

lemma_2_l -proof: Prove lemma_2-l from 
IClock-defn {p i 4 — i + 1, t +— ^ +1 }, 

Adj {*<-1 + 1, p<-q} 

lemma_2-2a-proof: Prove lemma-2_2a from 
IClock.defn {p <— q, t <— 5 }, 

IClock_defn {p <— q} } 
rate -1 {p <- q }, 
correct-closed {p 4 — g} 

lemma_2_2b_proof: Prove lemma_2_2b from 
IClock-defn {p <— <7, t <— s}, 

IClock-defn {p <— <7}, 
rate-2 {p <— <7}, 
correct-closed {p 4— q] 

absjshift.proof: Prove abs-shift from | ★ 1| {x 4- r - s} } | * 1| {x 4— f x - f 2 } 
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lemma_l_l_proof: Prove lemma_I_l from 
rts.l {p <— q}, 
rts2 {t «- 
beta-0, 
rmin_0, 

correct-closed {p <— <?, s <— t' q +l , t <— f* 9 } 
End basics 
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readbounds: Module 

Using basics, clockassumptions, arith 

Exporting all with basics 
Theory 

$i, <? 2 , /, n: Var process 
ij,k: Var event 

X, Y, Z, .ft, 5, T, 7\, T 2 '. Var Clocktime 
V) r, s, /, < 1 , Var number 
7 , 0: Var function [process — ► Clocktime] 
prop: Var function[nat — ► bool] 
okaymaxsync: function[nat, Clocktime — ► bool] = 

(A i,AT:(Vp,g: 

correct (p, tj, ? ) A correct^, tj , ? ) 

okaymaxsync_defn_lr: Lemma 
okaymaxsync(i, X) 

D(Vp,g: 

correct(p, t» ? ) A correct(g, tj, # ) 

D l /C j( < M)- /C '|( < P,|)l < X) 

okaymaxsync.defn_rl: Lemma 

( V P, q: correct (p, tj, ? ) A correct ( 9 , tj, f ) 

3 < X) 

D okaymaxsync (i, X) 

lemmaJLbase: Lemma p < X D okaymaxsync(0, X) 

okay_Reading_shift 2 : Lemma 
correct (p! , «) A * > t^j 1 A /? < r min A okaymaxsync(i, X) 

D okay .Reading^! 1 . X + 2 * ((r m « + /?) * p + A), «) 

CfnJClockl: Lemma 

correct (g, tj, +1 ) A correct(p, tj+ J ) A tj, + 1 > f‘+ l 
D /C’ + 1 (t>+i) 

= cfn(q, (Api — time: 0' +1 Pl ) + PC ? (t£ +1 ) - PC v (t* +1 ))) 
okayjleading.plus: Lemma 

okay_Reading( 7 , y, t) 3 okay_Reading(( A pj — ♦ time: 7 ^) + X),Y,t) 
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lemma.2 Jndl: Lemma 

/? < r m ,n A tt(2 * A + 2 * 0 * p,X + 2* ((r max + P) * P + A)) _ 
A okaymaxsync(t, X) 

A t i+1 > t' q +l A correct (p,t' p +l ) A correct(<f, <}, + ) 

D \cfn(p, 0J, + 1 ) 

- cfn(q, 

( A pi — ► time: 

©*, +1 pi) + pc q {t^ 1 ) - PC J (t' +1 )))| 

< x 


x 


lemma2-abs_fact: Lemma 

ti < t At < <2 a \s - til < X A |s - < 2 l < X D |s -t\ < X 


lemma.2 Jnd3: Lemma 

P < r m in A 7r(2 *A + 2*/?*p,X + 2* ((r max + p) * p + A)) < X 
A okaymaxsync(i, X) 

A<p +1 > A correct(p, tp +1 ) A correct(g,<p ) 

lemmaJ2_indj5tep: Lemma ■ __ 

\IC\ pmi] (t) - IC\ pMi] (t ) | < x D \IC' p (t) - ic g (t) I < X 

lemma_2_ind: Lemma v 

j3 < r m %n A ?r(2 *Ad-2*/?*p,X d- 2 * ((r ma r d- /?) * P d- ^)) - 
A okaymaxsync(i, X) 

3 okaymaxsync (2 d- 1, X) 


lemma-2: Lemma /? < r mtn 

Ap<XA7r(2*A + 2*/?*p,X + 2 * ((r mar d- /?) *P + A )) < A 
3 okaymaxsync(i, A) 

induction: Axiom prop(O) A (V j: prop (j) D prop (j + 1)) D prop(i) 


Proof 

okaymaxsync _defn _lr_pr: Prove okaymaxsync_defn_lr from 
okaymaxsync { p <— p@CS, q *— q@CS } 

okaymaxsync_defn_rl_pr: Prove 

okaymaxsync_defn_rl {p - p@Pl5, q - q@PlS] from okaymaxsync 
lemma_2_base_proof: Prove lemma_2-base from 

t * ? * 2 {j ^ 0, p 4 - p@P4S, q <- $@P4S}, 
synctime_0 {p *— (p@P4S It <?@P4S)[0]}, 
lemma_2_0 {p <— p@P4S, q <— <j@P4S}, 

okaymaxsync_defn_rl {f ^ — 0} 
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okay_Reading_shift 2 -proof: Prove okay_Readingjshift2 from 

okay_Reading-shiftl, okaymaxsync_defn_lr {p «— p@PlS, q <— g@PlS} 

CfnJClockl .proof: Prove CfnJClockl from 
IClock.defn {p <— q, t <— t' p +1 , i *— i + 1}, 

Adj {p «- 9, i «- » + 1}, 
translation Jnvariance 

{P 9 , 

7 - 0 * ? +1 , 

rate.2 {p — q, s — < — <‘ +1 }, 

rho-1, 

pos-product { x <— <J, +1 — <‘ +1 , t/ <— 1 - p) 

okay_Reading_plus_proof: Prove okay_Reading_plus from 
okay_Reading.defn_lr {pi <— p!@P 2 S, 91 <— 9x@P2S}, 
okay _Reading_defn_rl {7 «— ( A pi — ► time: t(pi) + X)} 

lemma_ 2 Jndl .proof: Prove lemma_ 2 Jndl from 
precision-enhancement 

{0 <— ( A pi — ► time: 0 ‘ f +1 pi) + PC ? (P +1 ) - PC, (ij+ 1 )), 

7 <- 0J+ 1 , 

A + — 2 * A + 2 * /?*p, 

^ X -f 2 * ((r max -f /?) ★ p + A)}, 
okay_Readvarsjshift {* <— ^ +1 }, 
okayJleading_shift 2 {pi p, s <— 
okay_Reading^shift2 {pi <— g, 5 <— ^ +1 }, 
okay Jleading.plus 

{7- e* + \ 

t <- p +1 , 

x-pc,(4 +1 )-pc f (<; +1 ), 

y *— X + 2 * ((r maac + 0) + p + A)}, 

correct-closed {p <— 9, s <— 2J+ 1 , < < — <* +1 } 

lemma 2 -abs_fact_proof: Prove lemma 2 -abs_fact from 
|*1| {z<— s — <1}, | ★ 1| {x «— s — <2}, | * 1| {x <— s — <} 


65 



lemma_2_ind3_proof: Prove lemma_2_ind3 from 
lemma_ 2 _indl, 
lemma 2 ^abs_fact 
{s «- /C-* +1 (t* +1 ), 

t - /c; +1 (<’ +1 ), 

<1 cfn(q,@' q +1 ), 

t 2 <— cfn(q,(\p\ — ■ time: 0 ’ + 1 Pi) + /? * (1 + />))), 

X ~X], 

lemma_ 2 -l {9 +— p}, 

CfnJClockl 

lemma_ 2 _ind-step_proof: Prove lemma_2_ind_step from 

(★1 ff * 2 )[* 3 ] , minsync, abs.com {x <— /Cp(t), y <— IC'^t)} 

lemmaJ2 Jnd.proof: Prove lemmaJ2 _ind from 

lemma_2_ind3 {p <— (p@P2S ft <?@P2S)[i-b 1], Q *— (p@P2S ]}> q@P2S)[i + 1]}, 

okaymaxsync_defn_rl {i <— i + 1 }, 

lemma_ 2 _ind_step 

{i <— » + 1, 

p < — p@P2S, 

9 «- ?@P 2 S, 

4 4 P+ 1 \ 

1 I p@P2S,f©P2S J » 

{i - i + 1, p «- P@P2S, 9 - 
minsync_maxsync {i «— i -f 1> p@P2S , 9 <— g@P2S}, 

maxsync.correct 


p <— p@P25, 
g -?@P2S}, 
minsync-correct 

i <— t + 1 , 
p <— p@P25, 

9 <- 9@P25} 

lemma_2_proof: Prove lemma_2 from 
readbounds. induction 
{prop 4 — ( A i — ► bool: 

0 < r min A p < X 

A 7r(2 *A + 2*/?*p,A' + 2*(( r mar + /?)*p + A)) < X 
3 okaymaxsync(i, A"))} , 
lemmaJ2Jnd {« <— J@P1S}, 
lemma_2_base, 
mu_0 
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End readbounds 



Iemma3: Module 

Using readbounds, basics, clockassumptions, arith 

Exporting all with readbounds 
Theory 

prop: Var functionfnat — + bool] 
l ) m,n i po,qo 1 p,q i px,P2,<liyQ2- Var process 
i, j, k: Var event 

x, y, z, r, s, t ,<i, ^ 2 , ®i ? yi> 2 / 2 - Var time 
X,y,Z, J R,5 ) r,T ll T 2 ,Xi 1 X 2 ,yi,y 2 : Var Clocktime 
7 , 0: Var function[process — ► Clocktime] 
abs JClock-diff: function[nat, Clocktime — + bool] 

IClock-Reading: function[nat, time — ► function [process Clocktime]] 

8s : time 

maxmax-gap: Lemma 
correct (p, s) A correct (q, s) 

A s > t A s < <‘(p^ )[, + i] A t > 

Z) S t ^max 

minmax_gap: Lemma 
correct(p, s) A correct(y, s) 

A S > t A S < <(pj; ? )[,' + i] A < > <(p^ 9 )[i] 

Z) S — t ^ y’mar 

drift.bnd: Lemma t < s 

A correct(p, s ) A correct(g, s) A |7C p (<) — 7C^(<)| < Y 
D |7Cj,(s) — 7C^(s)| <Y + 2*(s — t)* p 

maxsync jnax: Lemma > t' p A t’ ( p^ j)(j] > < 9 

minsyncjnin: Lemma <( pW[l ] <t' p A C (j4j)[i] < 

accuracy-preservation: Lemma 
correct (p, 

A correct (y, <p +1 ) 

A ( V /, m: 

correct (/, tj, +1 ) A correct (m, fp +1 ) 
D|7C)(<*+ 1 )-7C^(<*+ 1 )|<X) 

D |7C; +1 (f‘ +1 ) - /c;(t* +1 )| < a(X + 2 * A) + A 

accuracy.pres_stepO: Lemma 

|s-<i| < 3 / A |< -t 2 \ < I/A \ti -t 2 \ < x D \s-t\ < 2*y+x 
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accuracy_pres_stepl: Lemma 

correct (p, <p +1 ) A correct (/, ) A correct (m, <p +1 ) 

D |0*+ 1 /)-0'+ 1 m)| 

< |/Ci(<’+ 1 )-/Cj n (<*+ 1 )| + 2*A 

lemma3_l_l: Lemma 

correct(p, t) A correct(g, t) 

A /? < f'min 

A p < X 

A 7t( 2 *A + 2*/?*p,X-b2* ((r ma;r +/?)★/> + A)) < X 
A * - ^ptoMO 

D |/C- (t) - ic\{t ) I < * + 2 * (< - t* pfr , )[0 ) *p 


lemma3_l: Lemma correct(p,^) 

A correct(g, i) 

A < r m»n 

A fi < X 

A tt( 2 *A-b2*/?*p,X + 2* ((r„ 


A t > t\ 


- A 1 < *«»)[<+!] 
D |KC P (<) - VC, (01 < X + 2 * r mal *p 


* + l 


. + /?)★/> + A)) < X 


lemma3_2_0: Lemma 
correct (p,<' ( +J ?)[<+1] ) 

A correct ( 9 ,<j+J ?)[i+1] ) 

A ft < 

A p < X A 7t( 2 *A + 2*/?*p,X + 2* ((r mar -f /?) * p + A)) < A" 

— ^(pft«)[* + l]^(pV?)[i + l])l 
< a(X + 2 * (r max + /?) * p + 2 * A) + A 


lemma3_2_l: Lemma 

correct(p,t) A correct(g, i) 

A 0 < r min 
A p < X 

A tt(2 * A + 2 * 0 * p, X + 2 * ((r mai 4- 0) * p + A)) < X 
A a(X + 2 * (r mai + /?)*P + 2*A) + A + 2*/I?*p< (5 

A f - ( (hI*X*+i1 a 1 ' ( (pft*)I*+il 

= i /c !«, )[.+!](<) - 'cUw+nWi < > 

lemma3-2-step: Lemma 

correct (p, t) A correct^, t) A 0 < r mi „ A t > t| p ^ ?)[i] A t < t‘ pff?)[<] 

t c P+ 1 
D 1 < l (pM\i] 
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Iemma3-2jstepl: Lemma 

correct (p, t) A correct^, t) A /? < r min A t > *(p.|^)[,'+i] 

D 1 - *(p#9)l<+i] 

Iemma3_2jstep2: Lemma 
correct(p, t) A correct(g, t) 

A /? < r m ,„ A t > <(p^ ? )[ i+ i] A t < <(p ft? )[,- + i] 

= |V r C'(p^ ? )[j+i](t) — ^C(pftv)[i + l](OI 

Iemma3-2_step3: Lemma 

|V r C’(p* 4 ) P+ i](l) - ^C w?)[i+1] (OI = l^p(<) - VC q {t ) I 

lemma3_2: Lemma correct(p, t) 

A correct ($, t) 

A (3 ^ **rmn 
A (i < X 

A 7r(2 *A-b2*/?'*p, X + 2 * ((r mor + /?) ★ p + A)) < X 
A c*(X -f* 2 * (r mar -f /?) ★ p •+■ 2 * A) 4*A + 2*/?*p< 6 
A «X “f" 2 ★ 7* yr^ jc P < & 

A * - < ‘(p-fr9)t*] A 1 K f (pit9)t<+l] 

D \VC p (t) - VC,(t)\ < 6 

okayClocks: function[process, process, nat — ► bool] — 

(Ap,9,i:(V<: 

t > 0 A t < ^(p^ t )r,i A correct(p, t) A correct^, t) 

D \VC p (t) - VC q (t)\ < 6)) 

okayClocks_defnJr: Lemma 
okayClocks(p, q, i ) 

D (V t:t > 0 At < *( p ^)[j] A correct(p, t) A correct(g, t) 

D \VC p (t)-VC g (t)\<6) 

okayClocksJefn_rl: Lemma 

(V t:t > 0 At < A correct (p, t) A correct(g, /) 

D \VC p (t)-VC q (t)\ < 6) 

D okayClocks(p, q , t) 

lemma3JL0: Lemma p < 6 D okayClocks(p, q ) 0) 
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lemma3,3Jnd: Lemma 

ft < r min A A* ^ &S 

A 7r(2 * A + 2*/?*p, <55 + 2* ((r max -f /?) ★ p + A)) < 6s 
A (5,5 + 2 * r max p ^ (5 
A a(<5s -f 2 * ( 

r max + /?)*P + 2*A)-fA + 2*/?*p<<5 
A okayClocks(p, g, i) 

D okayClocks(p, q,i - h 1) 

lemma3J3: Lemma f3 < r m j n 

A /i < 65 A 7r(2 *A-f2*/?*p, 65+2* ((r max -f /?) ★ p -f A)) < 6 S 
A 65 *4" 2 * 7* max p ^ (5 
A a(6s + 2 * ( 

r max + P)*p + 2* A) + A + 2*0*p<6 

D okayClocks(p, q, i) 

Proof 

okayClocks_defn_lr_pr: Prove okayClocks.defn Jr from okayClocks {t *— t@CS } 

okayClocks_defn_rl.pr: Prove okayClocks-defn_rl {t <— t@PlS } from okay- 
Clocks 

accuracy.pres.step2: Lemma 

2 > 0 A 3/1 — z < y A y\ + z > t/D \x — y\ < \x — yi \ + z 

accuracy _pres_step2.pr: Prove accuracy _pres_step2 from 
| ★ 1| {a: 1 — x — t/}, I* 1| {x — x - j/i} 
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accuracy _preservation_pr: Prove 

accuracy-preservation {/ +— /@P2S, m m@P2S} from 
accuracy_preservation_ax 

{ppred <— ( A q\ correct ( g, JJ+ 1 )), 

7 - ©p +1 » 

X i-X + 2* A}, 

okay -Read p red 
{Y <— X -f 2 * A, 
ppred <— ( A q: correct (g, <p +1 )), 

7 — ©p +l }, 

accuracy-pres_stepl {/ +— /@P2S, m <— m@P2S}, 
accuracy _pres_step2 

U A, 

yi *- ©p +1 ?), 

ReadClock-bndl, 

ReadClock-bnd2 , 
correct-count {t <— 

IClock-defn {i <— i + 1, t <— <p +1 }, 

Adj {i <— z + 1} 

abs-diff-2: Lemma [ac — y\<zDx-y<zAy — x < z 

abs_diff_2-pr: Prove abs_difL2 from | ★ 1| {2; <— x — y} 

accuracy.pres-stepO.pr: Prove accuracy _pres-step0 from 
okay -Read varsjshiftjstep2, 
okay _Readvars_shiftj5tep2 
{t 1 < i 2 > 

1 2 ^i) 

s +— t } 

t 4- s}, 

abs_diff_2 {a: <— <1, y «— 1 2, * <— a;}, 
abs.com {x «— s, y «— <} 
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accuracy_pres_stepl_pr: Prove accuracy _pres_stepl from 
accuracy _pres_stepO 

{y <- A, 

S-0’ + 1 0. 

u - lew? 1 ), 

t <— ©p + 1 m), 

< 2 - /Cj n (t*+ 1 )}, 

Readerror {<7 <— /}, 

Readerror {9 <— m}, 

abs.com {x «— IC‘,{t' p +1 ), y <— 0J, +1 /)}, 

abs.com {x «- IC' m (t' p +l ), y *- ©J, +1 m)} 

lemma3-3_proof: Prove lemma3-3 from 
lemma3-3_ind {i 4— j@P2S}, 
readbounds. induction 
{prop 4— ( A i — ► bool: 

P < r m in A fJL < 8 S 

A 7 t (2 * A + 2 * p ★ p, <5 5 + 2 * ((r max + /?) ★ p + A)) < 65 
A 65 ”1“ 2 * r max ~k p 8 

A 0(65 H- 2 * (r max -f/?)*p + 2*A) + A-|-2*/?*p< 8 
D okayClocks(p, q, i))}, 

lemma3-3_0, 

pos.product {x 4- r max , y +- p}, 

rmax-0, 

rho_0 

lemma3-3 jnd.proof: Prove lemma3-3_ind from 
lemma3«2 {t 4— t@P3S } X 4—65}, 
okayClocks_defn Jr {£ 4— ^@P35}, 
okayClocks_defn_rl {t 4— i -f 1} 

lemma3JL(Lproof: Prove lemma3-3_0 from 
okayClocks_defn_rl {i <— 0}, 
synctime.O {p <- (p ft ?)[0]}, 
synctime.O, 
synctime.O {p 4 — ^ } } 

VClock.defn {< 4— t@PlS y i 4— 0}, 

VClock.defn {p q, t 4— t@PlS, i 4— 0}, 
lemma.2_0, 

rtsl {t<—t@PlS y i4-0}, 

rtsl {p 4— 5, <4— <@P1S, i 4— 0}, 

rmin_0 
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lemma3_l_lproof: Prove lemma3_l_l from 
lemma-2, 

okaymaxsync_defn Jr {p <— p, q q}, 

4* 3 

drift-bnd {s +- t, t «- <( ptr9 )[,] . Y <- X, j <- i), 
rho_0, 

correct.closed {s <— t <— 

correct .closed {s <- <, t <- P ?}. 

multJeq {z *- p, y <- t - ^ p1H)[<] , x <- r mar }, 

maxsync_max, 

minsync_min {i <— i - h 1}, 

minmax_gap {s <— t, t +— t l p } 

lemma3J. -proof: Prove lemma3_l from 
lemma3_l_l , 

VClock-defn, 

VClock_defn {p <— ?}, 
rtsO, 

multJeq {z — p, y <- t - *| pftf) p], x — r max ), 

maxsync_max, 

minsyncjnin {* <— i -f 1}, 

rho_0 
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Iemma3_2_0 .proof: Prove lemma3_2_0 from 
lemma3_l-l {p <- l@P2S, q — m@P2S, t <- 
accuracy_preservation 
{ p+ _ (pjj. 9 )[i+ 1], 

? «- (pfr ?)[*' + 1], 

X <— X + 2 * {r max + /?) * p ] , 

lemma_l .2 {p — (p l}. q)[i + 1], q — ( l@P2S ft m@P2S)[i]}, 
mult Jeq 

* ? max "H 

y /‘ + 1 _ 

* — p }, 

lemma_l_l {q <■— (p ft q)[i + 1], p +— (/@P2S ft m@P2S)[z]}, 
rho.O, 

minsync.correct {j — i + 1, s <- 

maxsync-correct {i *- i + 1, s <- <(p^ )[i+1] }, 
maxsync_correct 
{p /@P2S, 
q <- m@P2S, 
s <— / ,+1 \ 

correct-closed 

/ c P + 1 

* *(fQP2S-frmOP2S)[«]’ 

p <- (/@P2S It m@P2S)[i]} 
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lemma3_2_l_proof: Prove lemma3_2_l from 
lemma3_2_0, 

VClock.defn {p <— (p U <?)[* + 1], » *— i + 1}> 

VClock_defn {p «— (p ft q)[i -hi]}, 
drift.bnd 
{s *-t, 

1 l {pwv+ 1 ]’ 

i <— t + 1, 

j «- *, 

y a(X + 2 * (r mar + P) ★ P + 2 * A) + A}, 
rho_0, 

maxsync .correct {s <— i ♦— i ■+■ 1}, 

minsync.correct {s <— i *— t + 1), 

correct-closed 

{p*- (pA 9)[* + 1], 

f « j* + l \ 

correct-closed 

{p<-(P^ 9) [*'+!]> 

S <— 

/ t /*+! \ 

correct-closed {s *- <, < «- t (JJ f )[i+i]}> 

correct-closed {p *— g, s ♦- <, < «- *($,)[<+i]}> 

rtsl {i <— i + 1, p ♦- (p JJ- q)[i + 1]}, 

multJeq {z <- p, y <- < - *($,)[<+!]. x P), 

rts2 {t <— t + 1, p - — (P IT 9)[* +1], 9 (P ■U 9)[* + 1]} 

lemma3-2_proof: Prove lemma3-2 from 

lemma3-2-l, lemma3_l, Iemma3_2-step2, Iemma3_2_step3 

lemma3 _2 .step .proof: Prove lemma3_2-step from 
rts2 {p «- (p fT 9)[*]i 9 “« — (P -U 9)[*]}> 
rtsl {p <- (p-U- «)[*]}, 
minsync.correct {s £}, 
maxsync .correct {5 <— <}, 
minsync_min, 

correct-closed {p «- (p ^ q)[i\, s «- t, t «- <( p ^ ? )[i]} 
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Iemma3-2jstepl -proof: Prove lemma3_2_£tepl from 
rts2 {p - — (p 1Y ?)[* +1], 9 < — (p -U- fl)[* + 1]}. 
rtsl {p ♦- (p ft g)f* +1]}, 
minsync-correct {$ <— i +— i + 1}, 
maxsync.correct {s t, i <— i + 1} 

lemma3_2jstep2_proof: Prove Iemma 3 - 2 j 3 tep 2 from 
lemma3_2jstep {i <— i + 1}, 
lemma3-2jstepl, 

VClock_defn {p *— (p ^ g)[i + 1] , * <— * + 1}, 

VClock_defn {p <— (p ft q)[i + 1]} , 
minsync.correct {s <— t, i i + 1 } } 
maxsync.correct {s <— i *— i + 1 } 

lemma3_2_step3-proof: Prove Iemma3_2_step3 from 
abs-com {x <— VC p (t) } y <— VC q (t)}i 
minsync {p «— p, q <— q } i *— i + l} 9 
(*1 ft *2)[*3] {p<-p, q*-q, i*-i+ 1} 

maxm ax-gap -proof: Prove maxmax^gap from 

(★1 ft ★2)[*3] {i <— i -f 1}, (*1 ft *2)[*3] , rtsO {t <— $}, rtsO {t <— s, p <— q} 

minmax-gap.proof: Prove minmax_gap from 
minsync-maxsync {i <— t + 1 }, maxm ax -gap 

drift -bn d .proof: Prove drift-bnd from 
lemma_ 2 _ 2 a {z <— j}, 
lemma_ 2 _ 2 a {<? <— p}, 
lemmaJ 2 - 2 b {i ♦— j}, 
lemma_ 2 _ 2 b {<7 ^ — p} , 

multJdistrib-minus {x s — t, 3 / *— 1 , z <— p}, 
multJdistrib {x <— s — t } y *— 1 , z *— p}, 
absjshift 

{r - IC' p {t), 
s «- IC{(t), 
h - /Cj(f), 

< 2 - IC{{s), 
y 1 , 

z (s — t) ★ p, 

X *-Y} 

maxsync_m ax_proof: Prove maxsync_max from (*1 ft *2)[*3] 

minsync_m in .proof: Prove minsync_min from minsync 
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End lemma3 
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lemmaJinal: Module 

Using clockassumptions, lemma3, arith, basics 
Exporting all with clockassumptions, lemma3 

Theory 

P> q,Pi,P2> ?i,?2,P3,g3, *\ j, k: Var nat 
/, m, n: Var int 
x, y, z: Var number 

posnumber: Type from number with ( A x: x > 0) 
r,s,t: Var posnumber 

correct jsynctime: Lemma correct (p, t) A t < t l p -I- ^mtn 3 t <C tp"^" 
synctime_multiples: Lemma correct (p,t) At > 0 At < i *r m * n D t' p > t 
synctime_multiples_bnd: Lemma correct(p,t) At > 0 3 t < l+i 

agreement: Lemma f3 < r mtn 

A p < 65 A tt( 2 *A-|-2*/?* p,<$s + 2* ((r max -}- /?) * p 4- A)) < 65 
A ^5 4“ 2 * -k p < 8 

A 0(65 -f 2 * (r max -f/?)*p4-2*A)-l-A + 2*/?*p<<5 
A t > 0 A correct(p, t) A correct(g, t) 
D\VC p (t)-VC q (t)\<6 

Proof 

agreement_proof: Prove agreement from 
lemma3-3 {t «— \t/r min \ + 1}, 
okayClocks.defnJr {i <— [t/r min ] + 1, t «— t@C5}, 
maxsync.correct {s <— t, i <— |"t/r m i n ] + 1}, 
synctime_multiples_bnd {p ♦— (p fr g)[[t/ r mtn] 4~ 1] } 1 
rminJ), 

div_nonnegative {x <— t, y <— r m i n ), 
ceiLdefn {x <— (t/r mtn )} 

synctime_multiples_bnd-proof: Prove synctime_multiples_bnd from 
ceil_plus_mult_div {x t, p «— r m j„}, 
synctime_multiples {z <— ft/r m , n ] -f 1}, 
rmin_0, 

div_nonnegative {x t, p «— r m i n }, 
ceiLdefn {x <— (t/r min )} 

correct_synctime_proof: Prove correct.synctime from rtsl {t <— t@CS) 
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synctime_multiples_pred : function[nat, nat, posnumber — ► bool] == 

( A i,p,t: correct (p, t)At>0At<i* r m ,* n D t? > t) 

synctime_multiples_step: Lemma 

correct(p, t) A t > t* p A t > 0 D t l p > i * r min 

synctime_multiples_proof: Prove synctime_multiples from 
synctime_multiples_step 

synctime_multiplesjstep_pred: function[nat, nat, posnumber — ► bool] = 
( A i,p, t: correct (p, t) A t l p < t A t > 0 D t % p > i ★ r m * n ) 

synctime_multiplesjstep_proof: Prove synctime.jnultiples-step from 
readbounds. induction 

{prop <— (A i: synctime_multiplesjstep_pred(i,p, <))}, 
mult JO {x < r m j n }, 
synctime.O, 
rts_l {i j®P 1}, 
rmin.Oj 

correct_closed {5 <— t, t <— t£ 0/>1+1 }, 
distrib {x <- j@P 1, y *- 1, 2 «- 
multJident {x <— r m ; n } 

End lemmaiinal 
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lemmaJinaLtcc: Module 
Using lemmaJinal 
Exporting all with lemmaJinal 
Theory 

p : Var naturalnumber 
x : Var number 
j: Var naturalnumber 
t: Var posnumber 

posnumber.TCCl: Formula ( 3 x: x > 0) 

synctime_multiplesJDnd_TCCl: Formula (correct(p, t) A t > 0) D (r m tn ^ 0) 

synctime_multiples_bnd_TCC2: Formula 
(correct(p,*) A t > 0) D + 1 > 0) 

agreement_proof_TCCl: Formula (r m j n ^ 0) 

agreement_proof_TCC2: Formula ([</ r minl *f 1 > 0) 

Proof 

posnumber_TCCl_PROOF: Prove posnumber _TCC1 

synctime_multiplesJbnd_TCCl -PROOF: Prove synctime_multiplesJbnd-TCCl 
synctimejnnultiples_bnd_TCC2_PROOF: Prove synctime_multiplesJbnd-TCC2 
agreement_proof-TCCl-PROOF: Prove agreement_proof_TCCl 
agreement _proof-TCC 2 .PROOF : Prove agreement _p roof _TCC2 
End lemma_final_tcc 
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ica: Module 

Using arith, countmod, clockassumptions, readbounds 
Exporting all with clockassumptions 
Theory 

process: Type is nat 
event: Type is nat 
time: Type is number 
Clocktime: Type is number 

tf 2 ,P 3 ,$ 3 : Var process 

Var event 

x y y, z, r, s, t : Var time 

A, Yy Z, R } SyT: Var Clocktime 

fun, 1,0: Var function [process — ► Clocktime) 

ppred, ppredl, ppred2: Var function [process — + bool] 

sigma-size; function[function[process — ► Clocktime] , process — ► process] = 

( A fun, i : t) 

sigma: function [function [process — ► Clocktime], process — ► Clocktime] = 

( A fun, i : ( if i > 0 then fun(i — 1) + sigma(fun, i — 1) else 0 end if)) 
by sigma_size 

fix: function[Clocktime, Clocktime, Clocktime — ► Clocktime] = 

(XXyYyZ:( if |y — Z\< X then Y else Z end if)) 
iconv: function [process, function [process — ► Clocktime], Clocktime 
— ► Clocktime] = 

( A py fun, y : sigma(( A q:f\x(Y } fun(g), fun(p))), N)) 
icalg: functionfprocess, functionjprocess — ► Clocktime], Clocktime 

— ► Clocktime] = ( A p, fun, Y : iconv(p, fun, Y)/N) 

ica_translation_invariancel : Lemma 

iconv(p, ( A q: fu n(q) -j- A r ), Y) = iconv(p, fun, Y) -f N ★ X 

ica_translation_invariance: Lemma 

N > 0 D icalg(p, ( A q: fun(g) + A r ), Y) = icalg(p, fun, Y) + X 

extensionality: Axiom ( V /: ppredl(/) = ppred2(/)) D ppredl = ppred2 

funl,fun2: Var functionfprocess — ► time] 

fun_extensionality: Axiom (V/:funl(/) = fun2(/)) D funl = fun2 
sigma_transJnv: Lemma sigma(( A q x : fun(^i) -f A), n) = sigma(fun, n) + n ★ X 

Proof 
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fix.trans: Lemma ( A q: 

fix(Y, (( A 9i:fun(5i) + X)q), (( A gi:fun(tfi) + X)p))) 

= ( A q: fix(y, fun(g), fun(p)) + X) 

fix_trans_pr: Prove fix_trans from 
fun_extensionality 

{funl *— (\q: fix(Y, (( A g^fun^i) + X)q ), (( A qi'. fun(gi) + X)p))), 
fun2 *— ( A q: fix(Y, fun(g), fun(p)) + X)}, 
fix 

{X +— Y, 

V ^((A«i:fun(®0 + Jf)/OPlS) ? 

Z «- (( Ag 1 :fun(g 1 ) + X)p)} } 
fix {X — y, Y «- fun(/®PlS), Z 4- fun(p)} 

sigma_trans_inv_base: Lemma sigma(( A 51: fun(gi) + X), 0) = sigma(fun, 0) 

sigma_trans_inv_base_pr: Prove sigma_transJnv_base from 
sigma {i <— 0}, sigma {fun ( A gx : fun(gi ) -f X), * 0} 

sigma-transJnvJnd: Lemma 

sigma(( A q\: fun(<?i) -f X), j) = sigma(fun, j) + j * X 

D sigma(( A qi:fun(qi) + X), j + 1) = sigma(funj + 1) + ( j + 1) *X 

sigma_trans_inv_ind_pr: Prove sigmaJransJnvJnd from 
sigma {fun <— ( A qi:f\xn(q\) + X), £ <— j + 1}, 
sigma {£ <— j - f 1), 
distrib {z +— j, y ♦— 1, 2 <— X}, 
multJident {x *— X} 

sigma_transJnv_pr: Prove sigma_transJnv from 
induction 

{prop 4— ( A n: sigma(( A q \ : fun(<?i) + X), n) = sigma(fun, n) + n ★ X), 
j <- n}, 

sigma-transJnv_base, 
sigmaJrans_invJnd {j <— 
mult JO {x <— X } 

ica_translation_invariancel_pr: Prove ica_translationJnvariancel from 
iconv, 

iconv {fun +— ( A q: fun(g) + X)}, 
fix.trans, 

sigma_trans_inv {fun ♦— ( A q: fix(Y, fun(< 7), fun(p))), n <— N) 
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ica_translation_invariance-pr: Prove ica_translation .invariance from 
ica.translation Jnvariancel , 
icalg, 

icalg {fun ( X q: fun(<?) + X)}, 

div.distrib {x <— iconv(p, fun, Y), y +- N z N), 
div.cancel {x <— N, y ^ X) 

End ica 
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ica2: Module 

Using arith, countmod, clockassumptions, readbounds, ica 

Exporting all with ica 
Theory 

process: Type is nat 

event: Type is nat 

time: Type is number 

Clocktime: Type is number 

/,m,n,p, $,Pi,P 2 , ?ii ?2>P3) $3’ Var process 

t, j, k: Var event 

x , y, z , r, s,t: Var time 

D, X , y, Z, ft, 5, T: Var Clocktime 

fun, funl,fun2,7,0: Var function[process — ► Clocktime] 
ppred, ppredl, ppred2: Var function[process — ► bool] 

sigmajsplit: Lemma 

sigma(fun, i) = sigma(( A q: ( if ppred(qr) then fun(g) else 0 end if)), i) 

+ sigma(( A q: ( if ^ppred(^) then fun(q) else 0 end if)), i) 

sigma_pos; Lemma okay _pairs(fun 1, fun2, X, ppred) 

D sigma(( A q: ( if ppred(g) then (funl(g) - fun2(g)) else 0 end if)), i) 

< count(ppred, i) ★ X 

okay_pairsJix: Lemma 
Z > 0 A ppred (p) 

A ppred(qr) 

A okay_pairs(funl, fun2, X , ppred) 

A okay _Readpred(funl, Z , ppred) A okay _Readpred(fun2, Z, ppred) 
D okay_pairs(( A q \ : fix(y, funl(^i), funl(p))), 

( A qy : fix(y, fun2(g x ), fun2(<?))), 

(if Z < Y then X else X + Z end if), 
ppred) 


sigma_diff: Lemma 

sigma(funl, i) — sigma(fun2, i) = sigma(( A q : funl(g) — fun2(g)), i) 
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sigma_neg; Lemma Y > 0 A funl(p) — fun2(<?) < z 
D sigma(( A q x : 

( if -ippred(^i) 

then (fix(y,funl( 9 l ),funl(p))-fix(y,fun 2 ( 9 l ),fun 2 (^))) 
else 0 
end if)), 

*) < count(( A : -<ppred(yi)), i) ★ (z + 2 * Y) 

sigma_pos_neg: Lemma 
Y > 0 AZ > 0 A ppred(p) 

A ppred(g) 

A okay_pairs(funl, fun2, X, ppred) 

Aokay_Readpred(funl, Z , ppred )Aokay_Readpred(fun2, Z, ppred) 

D sigma(( A ?i: fix(Y, funl (gi), funl (p)) - fix(Y, fun2(gi), fun2(?))), i) 

< count(ppred, i) ★ ( if Z <Y then X else X 4- Z end if) 

4 * count(( A q \ : -»ppred(</i)), i) ★ (X + Z + 2 * Y) 

iconvjsigma_diff: Lemma 
Y>OAZ>OA ppred(p) 

A ppred(y) 

A okay_pairs(funl, fun2, X, ppred) 

Aokay _Readpred(funl, Z, ppred)Aokay_Readpred(fun2, Z, ppred) 

D iconv(p, funl, Y) - iconv(<?,fun 2 , Y) 

< count (ppred, N) ★ ( ifZ < Y then X else X -f Z end if) 

+ count (( A q x : -ippred(fi)), AT) * (X + Z + 2 * Y) 

okay_Readpred_pairs: Lemma 
ppred(p) A ppred(g) 

A okay_pairs(funl, fun2, X , ppred) A okayJReadpred(funl, Z, ppred) 

D funl(p) — fun2(<?) < X + Z 

okay_iteadpred_lr: Lemma 

ppred(p) Appred(g) Aokay_Readpred(funl, Z, ppred) D |funl(p) — funl(g)| < Z 
okay .pairs _lr: Lemma 

ppred(p) A okay _pairs(funl,fun2, X, ppred) 3 |funl(p) — fun2(p)| < X 

Proof 

okay_Readpred.pairs.pr: Prove okay -Read p red -pairs from 
okay .pairs {7 <— funl, 6 <— fun 2 , p 3 <7}, 
abs_leq_0 {x <— funl(y), y «— fun2(y), z <-X}, 
okayJteadpred {7 «— funl, Y Z, / ♦— p, m ♦— g}, 
abs_leq_0 {x <— funl(p), y <— funl(g), z <— Z} 
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iconv_sigma_diff_pr: Prove iconv jsigma.difF from 
sigma_pos_neg {i <— N}, 
sigma.diff 

{funl <— ( A 91 : fix(y, funl(gi), funl(p))), 
fun2 «— ( A gi:fix(y, fun2(</i), fun2(^))), 

i - N}, 

iconv {fun <— funl}, 
iconv {p <— q, fun <— fun 2 } 

sigma_pos_neg.pr: Prove sigrna 4 )os_neg from 
sigma_pos 

{funl <— ( A gi:fix(y,funl(gi),funl(p))), 
fun2 <— ( A qi : fix(y, fun2(<?i ), fun2(q r ))), 

X <- ( if Z <Y then X else X + X end if)}, 
sigma_neg {z <— X + Z], 
okay_pairs_fix, 
okay .Read pred. pairs, 
sigmajsplit 

{fun +— ( A 91 : fix(y, funl( 9 i),funl(p)) — fix(y, fun 2 ( 9 i),fun 2 (g)))} 

fix.diffl: Lemma Z > 0 A |funl(p 3 ) — fun2(p 3 )| < X A |funl(p 3 ) — funl(p)| < Z 
D |fix(y, funl(p 3 ), funl(p)) - fun 2 (p 3 )| 

< ( if X < y then X else X + Z end if) 

fix.diffl _pr: Prove fix.diffl from 

fix {X <— y, y <— funl(p 3 ), Z <— funl(p)}, 
abs.drift 

{xi <— funl(p), 
y <— fun 2 (p 3 ), 
x <— funl(p 3 ), 

zi +-Z), 

abs.com {x <— funl(p), y <— funl(p 3 )} 

fix_diff2: Lemma |funl(p 3 ) — fun2(p 3 )| < X A |fun2(p 3 ) - fun2(g)| < Z 
D |funl(p 3 ) - fun2(g)| < X + Z 

fix.difF2.pr: Prove fix.difF2 from 
abs.drift 

{xi <- funl(p 3 ), 
y «— fun 2 (^), 
x «- fun 2 (p 3 ), 

z^Z] 
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fix_difT3: Lemma |funl(g) - fun2(g)| < X A |funl(p) - funl(g)| < Z 
D |funl(p) - fun2(g)| <X + Z 

fix.diff3.pr: Prove fix_diff3 from 
abs.drift 

{ii <- funl(p), 
y i- fun 2 (g), 
a; *— funl(g), 
zi — Z, 

z^-X) 

fix.difT: Lemma Z > 0 

A |funl(p 3 ) - fun2(p 3 )| < X 
A |funl(g) — fun2(g)| < X 
A |funl(p 3 ) - funl(p)| < Z 

A |fun2(p 3 ) - fun2(g)| < Z A |funl(p) - funl(g)| < Z 
D |fix(y, funl(p 3 ), funl(p)) - fix(Y, fun2(p 3 ), fun2(g))| 

< ( if Z < Y then X else X + Z end if) 

fix-difLpr: Prove fix_diff from 

fix {X *- Y, y «— funl(p 3 ), Z <- funl(p)}, 

fix {X <- y, y - fun 2 (p 3 ), Z fun2(g)}, 

fix_diffl , 

fix-difT 2 , 

fix_diff3 

okay .pairs Jr_pr: Prove okay-pairs_lr from 
okay _pairs {7 <— funl, 6 «— fun 2 , p 3 P } 

okayJteadpredJr_pr: Prove okayJteadpredJr from 
okayJleadpred {7 <— funl, Y <— Z, l <— p, m <— q} 

fix.difLcorr: Lemma 
Z > 0 A ppred(p) 

A ppred(g) 

A ppred (p 3 ) 

A okay_pairs(funl,fun2, X , ppred) 

A okayJleadpred (funl, Z, ppred) AokayJleadpred(fun2, Z, ppred) 
D |fix(y, fun 1 (p 3 ), funl (p)) - fix(y, fun2(p 3 ), fun2(g))| 

< ( if Z < y then X else X + Z end if) 
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fix_diff_corr_pr: Prove fix_diff_corr from 
fix-diff, 

okay_pairs_lr {p P3}, 

okay -pairs Jr {p 9}, 

okayJleadpredJr {p <— P3, q <— p} , 
okay_Readpred Jr {funl <— fun2, p «— p3}> 
okay -Read p red Jr 

okay -p air s_fix_pr: Prove okay_pairs_fix from 
okay .pairs 

{7 +- (Agi:fix(y,funl(gi),funl(p))), 

0 «- ( A 91 : fix(y, fun2(<ji ) , fun2(g))) , 

X ♦_ ( if Z < Y then X else X + Z end if)}, 
fix_diff_corr {p3 <— P3@P1S} 

sigma_negJndj3tep: Lemma 
y > 0 A funl(p) - fun2(y) < 2 

D fix(y,funl(t),funl(p)) - fix(Y, fun2(t), fun2(g)) < z + 2 * Y 

sigma_negJnd-step_pr: Prove sigma_negJnd-step from 

fix {X < — y , y <- funl(i), Z <— funl(p)} , 
fix {X - y, y - fun2(0, Z <- fun2(g)}, 
absJeq-0 {x <— funl(i), y <— funl(p), 2 «— V}, 
abs_com {x <— fun2(i), y <— fun2(y)}, 
absJeq-0 {x 4- fun2(y), y <— fun2(i), 2 <— Y} 

sigma_negJnd: Lemma 

y > 0 A funl(p) - fun2(y) < 2 
A sigma(( A q 

( if -ippred(gi) 

then fix(y,funl(9i),funl(p)) 

- fix(y, fun2(gi), fun2($)) 
else 0 
end if)), 

i) < count(( A q\ \ ->ppred(gi)), i) * (2 -f 2 * Y) 

D sigma(( A 

( if ->ppred(yi) 

then fix(y,funl(^i),funl(p))“-fix(y, fun2(gi), fun2(y)) 
else 0 
end if)), 

* + l) 

< count(( A qi: -»ppred(gi)), * + 1) * (z 4* 2 * Y) 
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sigma_neg_incLpr: Prove sigma_neg_ind from 
sigma 

{fun 4 - ( X qi : 

( if -ippred(gi) 

then fix(y,funl(^ 1 ),funl(p)) - fix(y, fun 2 (^), fun 2 (g)) 
else 0 
end if)), 

* «- *+ 1 }> 

count {ppred «- ( A q x : -nppred(gi)), * <- t+ 1}, 
sigma_neg Jnd jstep , 
distrib 
{x *- 1 , 

y <— count(( A gi: -«ppred(g 1 )), j), 
z 4 - 2 + 2*r}, 
mult Jident {x+-: + 2 *y} 

sigmajneg.pr: Prove sigma_neg from 
induction 

{prop <— ( A t: 

y > 0 A funl(p) — fun2(g) < 2 
D sigma(( A q^. 

if -^ppred(gi) 

then (fix(y,funl( ?1 ),funl(p)) 

— fix(y, fun2(gi), fun2(g))) 

else 0 
end if), 

0 < count(( A q\\ ->ppred(gi)) 1 j) *(z + 2 * Y))}, 

sigma 

{fun <- (A q x : 

( if -ippred(gi) 

then fix(Y, funl(gi), funl(p)) - fix(Y, fun2(gi), fun2(g)) 
else 0 
end if)), 

* «- 0 }, 

count {i <— 0, ppred «- ( A q x : ->ppred(gi))}, 
mult JO {x 4— z + 2 * y } , 
sigma_negJnd {i <— j@PlS] 

sigma_diffJnd: Lemma 

sigma(funl, t) - sigma(fun2, t) = sigma(( A g: fun 1(g) - fun2(g)),t) 

D sigma(funl, i + 1) - sigma(fun2, i + 1) 

= sigma(( A g: funl(g) - fun2(g)), i + 1) 


90 


sigma.difLind.pr: Prove sigma.difFind from 
sigma {fun «— funl, i 4 — i + 1 }, 
sigma {fun <— fun 2 , i <— i + 1 }, 
sigma {fun <— ( A q: funl(g) — fun2(g)), 24—2 + 1} 

sigma_diff_pr: Prove sigma.diff from 
induction 

{prop <— ( A i: 

sigma(funl, i) — sigma(fun 2 , i) 

= sigma(( A q: funl(g) - fun2(g)), *))}. 
sigma {fun funl, i *— 0}, 
sigma {fun <— fun2, * 4 — 0}, 
sigma {fun funl(g) — fun2(g)), i 4 — 0}, 

sigma jd iff Jnd {2 ♦— j@P\S) 

sigma_pos_ind: Lemma 

okay.pairs(funl, fun2, X, ppred) 

A sigma(( A q: ( if ppred(g) then (funl(g) — fun2(g)) else 0 end if)), i) 
< count(ppred, 2 ) ★ X 

D sigma(( A q: ( if ppred(g) then (funl(g) — fun2(g)) else 0 end if)), 

t + 1) 

< count(ppred, i + 1) ★ X 

sigma_posJnd_pr: Prove sigma_pos_ind from 
sigma 

{fun <— ( A q: ( if ppred(g) then (funl(g) — fun2(g)) else 0 end if)), 
t < — i + l}, 

okay .pairs { 74 — funl, 0 4 — fun 2 , pz <— 2 } , 
count {i 4 — i + 1 }, 

distrib {x +— 1 , 2/4— count(ppred, 2 ), z 4— X}, 
multJident (n-X), 

absJeq.O {x 4— funl(z), y 4— fun2(i), z 4 — X) 
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sigma_pos_pr: Prove sigma_pos from 
induction 

{prop <- ( A i: 

okay_pairs(funl , fun2, X ) ppred) 

D sigma(( A q: 

( if ppred(g) then (funl(g)— fun 2 (g)) else 0 end if)), 
*) < count(ppred, i) ★ X)}, 


sigma 

{fun 4 — ( A g: ( if ppred(g) then (funl(g) — fun2(g)) else 0 end if)), 
* — 0 }) 

count {z ♦— 0}, 
mult JO {x <— X}y 
sigma 4 >osJnd {* 4— j@P15} 


sigma_split Jnd: Lemma 

sigma(fun, t) = sigma(( A q: ( if ppred(g) then fun(g) else 0 end if)), t) 
+ sigma(( A q: ( if ^ppred(g) then fun(g) else 0 end if)), i) 

D sigma(fun, i- f 1) 

= sigma(( A q: ( if ppred(g) then fun(g) else 0 end if)), i *f 1) 

H- sigma(( A q: ( if ->ppred(g) then fun(g) else 0 end if)), i 4- 1) 

sigma_splitJnd_pr: Prove sigma^plit Jnd from 
sigma {* i + 1}, 
sigma 

{fun ♦— ( A g: ( if ppred(g) then fun(g) else 0 end if)), 

* «- i+ 1}, 

sigma 

{fun 4 — ( A g: ( if -ippred(g) then fun(g) else 0 end if)), 
i <— t + 1} 


sigmajsplit_pr: Prove sigma_split from 
induction 

{prop <- ( A i: 

sigma(fun, z) 

= sigma(( A g: ( if ppred(g) then fun(g) else 0 end if)), i) 

+ sigma(( A g: ( if -»ppred(g) then fun(g) else 0 end if)), z))}, 
sigma {z <— 0 }, 
sigma 

{fun <— ( A q: ( if ppred(g) then fun(g) else 0 end if)), 
i <- 0 }, 
sigma 

{fun 4 — ( A g: ( if -ippred(g) then fun(g) else 0 end if)), 
i 4 — 0}, 

sigma_split Jnd {z 4— j@P\S) 
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End ica2 
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ica3: Module 

Using arith, countmod, clockassumptions, readbounds, ica, ica2 

Exporting all with clockassumptions, ica2 

Theory 

process: Type is nat 

event: Type is nat 

time: Type is number 

Clocktime: Type is number 

I i m,n i ptq i p li p 2i quq 2 } p 3 ,q 3 : Var process 

i, j, h: Var event 

x } y, z y r, s,<: Var time 

D , X , Y, Z, iJ, 5, T: Var Clocktime 

fun, funl, fun2, 7, 0: Var function[process — ♦ Clocktime] 

ppred, ppredl, ppred2: Var function[process — ► bool] 

A: Clocktime 

Delta.O: Axiom A > 0 

multjsumJneq: Lemma 

m+n=p+qAn <qAx<yDm*x + n*y<p*x + q'ky 
count_complement: Lemma count(( A q: ->ppred(g)), n) = n — count(ppred, n) 
prec_enhjstep3: Lemma 

count(ppred, N) > N — maxfaults AA>0A7 >0AZ>0 
D count(ppred, N) ★ ( if Z < Y then X else X -j- Z end if) 

+ count(( A gi : -ippred(gi)), N) ★ (X -f Z + 2 * Y) 

< N — maxfaults* ( if Z <Y then X else X + Z end if) 

+ maxfaults * (X + Z + 2 *Y) 

icalg_Pi: function [Clocktime, Clocktime — + Clocktime] = 

(A X,Z:(N - maxfaults ★ ( if Z < A then X else X + Z end if) 

+ maxfaults *(X + Z + 2* A)) 

/N) 

prec.enhjstep: Lemma 

ppred(p) A ppred(g) A okay Jteadpred (fun 1, Z, ppred) D Z > 0 
prec_enhjstep2: Lemma ppred(p) A okay _pairs(funl, fun2, X, ppred) D X > 0 
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icalg_precision_enhancement_step: Lemma 
ppred(p) A ppred(g) 

A count(ppred, TV) > TV — maxfaults 
A okay_pairs(funl, fun2, X , ppred) 

A okay _Readpred(funl, Z , ppred) A okay_Readpred(fun2, Z , ppred) 
D icalg (p f funl, A) - icalg(< 7 , fun2, A) 

< (count (ppred, TV) * ( if Z < A then X else X + Z end if) 

+ count(( A q x : -^ppred^x)), TV) * (X + Z + 2 * A)) 

/N 

icalg-Mu: function[Clocktime, Clocktime, function[process — ► bool] 

— ► Clocktime] = 

(A X, Z, ppred: 

(count (ppred, TV)*( if Z < A then X else X + Z end if) 

-f count(( A q x : -^ppred(gi)), TV) ★ (X + Z + 2 * A)) 

/N) 

icalg_precision_enhancement: Lemma 
ppred(p) A ppred(g) 

A count(ppred, TV) > TV - maxfaults 
A okay_pairs(funl,fun2, X , ppred) 

A okay_Readpred(funl, Z, ppred) A okay_Readpred(fun2, Z , ppred) 
D icalg(p, funl, A) — icalg(g, fun2, A) < icalgJ 5 i(X, Z) 

Proof 

prec_enh_step4: Lemma 
TV > 0 A ppred (p) 

A ppred(g) 

A count(ppred, TV) > TV — maxfaults 
A okay_pairs(funl, fun2, JV, ppred) 

Aokay_Readpred(funl, Z, ppred )AokayJleadpred(fun2, Z, ppred) 
D icalg_Mu(X, Z, ppred) < icalg_Pi( J \ r , Z) 
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prec_enh_step 4 _pr: Prove prec_enh_step 4 from 
prec_enh_step, 
prec_enh_step2, 
prec_enh_step 3 {Y 4— A}, 

Delta_ 0 , 

icalg_Pi, 

icalg_Mu } 

divJneq 

{x <— count(ppred, N) ★ ( if Z < A then X else X 4- Z end if) 

+ count(( A q\ : -*ppred(gi)), N) ★ (X + Z + 2 * A), 
y 4— (TV — maxfaults) ★ ( if Z < A then X else X Z end if) 

+ maxfaults* (X + Z + 2 * A), 
z — TV} 

icalg_precision_enhancement_pr: Prove icalg_precision_enhancement from 
prec_enh_step 4 , N_ 0 , icalg_precision_enhancementjstep, icalgAlu 

icalg_precision_enhancement_step_pr: Prove icalg_precision_enhancement_step 
from prec^enh-jstep, 
prec_enh_step2, 
iconv_sigma_diff {Y 4— A}, 

N- 0 , 

icalg {fun *— funl, Y 4— A}, 

icalg {p 4— q, fun <— fun 2 , Y 4— A}, 

divjminusjdistrib 

{x 4— iconv(p, funl, A), 
y 4— iconv(<j, fun 2 , A), 
z^N}, 

Delta- 0 , 

divJneq 

{x +— iconv(p, funl, A) — iconv(g, fun2, A), 
y 4— count(ppred, N) * ( if Z < A then X else X -+■ Z end if) 

+ count(( A qi : -»ppred(<7i)), N) * ( X + Z-f 2 * A), 
zt-iV} 

prec_enhjstep 3 _pr: Prove prec_enh-step 3 from 
count-complement {n 4— jV}, 
mult-sumJneq 

{m 4— count(ppred, N), 
n 4— count(( A q: -ippred(y)), TV), 
p 4— TV — maxfaults, 
q 4— maxfaults, 

x 4— ( if Z <Y then X else X + Z end if), 

„«_X + Z + 2*Y} 
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prec_enh_step2_pr: Prove prec_enh_step2 from 
okay .pairs Jr, | ★ 1| {x <— funl(p) — fun2(p)} 

count.complement_pr: Prove count.complement from 
induction 

{prop <-— ( A n: count(( A q: -nppred(^)), n) = n — count(ppred, n)), 
* «- «}> 

count {ppred <— ( A q: -<ppred(g)), i <— 0}, 
count {2 <— 0}, 

count {ppred <— ( A q: -^ppred(g)), i 4 — j@P\S + 1}, 
count {2 «— j@P15 +1} 

mult_sum_ineq_pr: Prove mult_sum_ineq from 
distrib {x <— n, y <— q — n, z <— y}, 
distrib {x *— p y y m — p, z <— x], 
multJeq_2 {z <— q — n, x *— y, 2 / 4 — 2 *} 

prec_enh_step_pr: Prove prec_enh_step from 
okay JleadpredJr, |*1| {x 4 — funl(p) — funl(g)} 

End ica3 
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ica4: Module 

Using arith, countmod, clockassumptions, readbounds, ica, ica2, ica3 
Exporting all with clockassumptions, ica3 

Theory 

process: Type is nat 

event: Type is nat 

time: Type is number 

Clocktime: Type is number 

/,rn,n,p,g,pi,p 2 ,gi,<?2,P3,tf3: Var process 

i,j, k: Var event 

x,y, z y r y $,t: Var time 

D, X , Y, Z , R y 5, T: Var Clocktime 

fun, funl, fun2, 7, Var function[process — Clocktime] 
ppred, ppredl, ppred2: Var function[process — ► bool] 

sigma.duplicate: Lemma sigma(( A i: x),i) = i ★ x 

okay Jteadpred Jix_difF: Lemma 

ppred (p) A ppred(qf) A ppred(pi) A okay _Readpred (fun, X, ppred) 
D |fix(y f fun(pi),fun(p)) - fun(g)| < X 

okay Jteadpred Jix-difF2: Lemma 

ppred(p) A ppred(g) A okay Jteadpred (fun, X, ppred) A Y > 0 

3 |fix(y , fun(pi ) , fun(p)) - fun(<?)| < X + Y 

acc_pres_sigma_pos: Lemma 

ppred (p) A ppred(<?) A okay Jteadpred (fun, X, ppred) 

D sigma(( A pi : 

( if ppred (pi) 

then |fix(y,fun(pi),fun(p)) — fun(g)| 
else 0 
end if)), 

N) < count(ppred, N) *X 
acc_pres_sigma_neg: Lemma 

ppred (p) A ppred(g) A okay Jteadpred (fun, X, ppred) A Y > 0 
D sigma(( A pi: 

( if -*ppred(pi) 

then |fix(Y, fun(pi), fun(p)) — fun(g)| 
else 0 
end if)), 

N) < count(( A p\: -<ppred(pi)), N) ★ (X 4- Y) 
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sigma^abs: Lemma |sigma(fun, i)| < sigma(( A p : |fun(p)|), i) 
acc.pres.step: Lemma 

ppred(p) A ppred(g) A okay _Readpred( fun, X, ppred) 

D |iconv(p,fun, A) - N ★fun(^)| 

< count(ppred, N) ★ X 4- count(( A p : ->ppred(p)), N) ★ (X + A) 

icalg.accuracy .preservation : Lemma 
ppred(p) A ppred(^) 

A count(ppred, N) > N — maxfaults A okay Jteadpred (fun, X , ppred) 
D |icalg(p, fun, A) - fun(g)| 

< ((N — maxfaults) ★ X + maxfaults * (X + A )) /N 

Proof 

icalg_accuracy_preservation_pr: Prove icalg.accuracy .preservation from 
acc.presjstep, 

N.O, 

abs.div {x icon v(p, fun, A) — N -A-fun(^), y <— N}, 
icalg {y A}, 

div.cancel {x <— N, y <— fun(g)}, 
mult-sumineq 

{m +— count(ppred, N), 
n <— count(( A p: -«ppred(p)), N) } 
p N — maxfaults, 
q <— maxfaults, 
x*-X, 
y-x + A}, 

Delta.O, 

count.complement {n <— N} } 

div_minus_distrib {z «— jV, x <— iconv(p, fun, A), y N *fun(</)}, 
divJneq 

{z^N, 

x <— |iconv(p, fun, A) — N *fun(g)|, 
y *— (N — maxfaults) * X + maxfaults * ( X + A)} 
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acc_pres_step_pr: Prove acc_pres_step from 
sigma_split 

{fun <- ( Api: |fix(A,fun(pi),fun(p)) - fun(g)l), 

i-N), 

sigma^abs {fun ( A p 1 :fix(A,fun(pi),fun(p)) - fun(g)), i N}, 
sigma.diff 

{funl <- ( Api:fix(A,fun(pi),fun(p))), 
fun2 ( Api:fun(g)), 
i - N}, 

acc.presjsigma_neg {Y <— A}, 
acc_pres_sigma_pos {V +— A}, 
iconv { Y <— A}, 

sigma_duplicate {x <— fun (g), i «— JV}, 

Delta.O 

sigma^absjpr: Prove sigma^abs from 

induction {prop (A i: |sigma(fun, i)| < sigma((Ap: |fun(p)|), z))}, 
sigma {* <— 0 }, 

I * 1| i x <- °)> 

sigma {i <— 0 , fun +— ( A p: |fun(p)|)}, 

sigma {z *— j@PlS +1}, 

sigma {i <- - ;@P1S -f 1, fun <— ( A p: |fun(p) |) } , 

abs.plus {x sigma(fun,j@P15), y *— fun(j@P15)} 

acc-presjsigma_neg_pr: Prove acc-pres_sigma_neg from 
sigma_pos 

{i«- AT, 

funl <- ( Api: |fix(y,fun(pi),fun(p)) - fun(g )|) 9 
fun2 +— ( A pi — ► number: 0), 
ppred 4 - ( Api:-»ppred(pi)), 

X + Y}, 
okay -pairs 

{7 ( Ap x : |fix(Y,fun(pi),fun(p)) - fun(g)|), 

9 <— ( A pi — ► number: 0), 

ppred <— ( Api:-ippred(pi))}, 
okay _Readpred_fix_difF2 {pi 4 — p3@P2S}, 

| * 1| {x <— |fix(Y, fun(p 3 @P2S), fun(p)) - fun(g)|}, 
j ★ lj {x ♦ — fix(Y, fun(p3@P2S), fun(p)) — iun(q)} 


100 



acc_pres_sigma_pos_pr: Prove acc.pres_sigma.pos from 
sigma_pos 

funl <- ( A pi : |fix(y, fun(pi ) , fun(p)) - fun( 9 )|), 
fun2 ♦— ( A pi — ► number: 0)}, 
okay .pairs 

{7 ( A pi : |fix(y,fun(pi),fun(p)) - fun(g)|), 

6 <— ( A pi — ► number: 0)}, 
okayJleadpred.fix.diff {pi «— p 3 @P2S}, 

|*1| {x*- |fix(Y, fun(p 3 @P2S), fun(p)) - fun(*)|], 
j ★ lj {x «— fix(y,fun(p 3 @P2S),fun(p)) — fun(g)} 

okay_Readpred_fix_diff2_pr: Prove okay_Readpred_fix_diff2 from 
okay_Readpred Jr {funl fun, Z <— X} y 
fix {X <— y, y «- fun(pi), Z — fun(p)}, 
abs.drift 

{x x <- fun(pi), 

V <- fun (q), 
x <- fun(p), 

zi -y} 

okay Jleadp red _fix.diff.pr: Prove okay _Readpred_fix_d iff from 
okay JleadpredJr {funl <— fun, Z <— X}, 
okay Jleadp red _lr {funl fun, p <— pi, Z <— X}, 

fix {X — y, y «- fun(pi), Z — fun(p)} 

sigma_duplicate_pr: Prove sigma_duplicate from 
induction {prop «— ( A i: sigma(( A i : x), i) = i * x)}, 
sigma {i 0, fun «— ( A i: x)}, 

★1 ★ *2 {x <— 0, p <— x}, 
sigma {i 15, fun «— ( A i: x)}, 

sigma {i <— jf@P15 + 1, fun <— ( A i: x)}, 
distrib {x +— j@PlS, y *— 1, z <— x} 5 
★ 1 **2 {x 4 — 1 j y < — x} 

End ica4 
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ica.tcc: Module 
Using ica 

Exporting all with ica 
Theory 

t: Var naturalnumber 

fun: Var function [naturalnumber — * number] 
j: Var naturalnumber 
l: Var naturalnumber 

sigma-TCCl: Formula (i > 0) D (i — 1 > 0) 

sigma_TCC2: Formula (» > 0) D sigmajsize(fun, i) > sigma-size ( fun, i — 1) 
icalg_TCCl: Formula (N / 0) 

Proof 

sigma_TCCl_PROOF: Prove sigma_TCCl 
sigma_TCC2_PROOF: Prove sigma_TCC2 
icalg_TCCl -PROOF : Prove icalg.TCCl 
End ica.tcc 


102 


ica4_tcc: Module 
Using ica4 

Exporting all with ica4 
Theory 

p : Var naturalnumber 
q : Var naturalnumber 
X: Var number 

fun: Var functionfnaturalnumber — + number] 
ppred: Var function[naturalnumber — ► boolean] 

P 3 : Var naturalnumber 
j: Var naturalnumber 

icalg_accuracy_preservation.TCCl: Formula 
(ppred (p) A ppred(g) 

Acount(ppred, TV) > 7V-majcfaultsAokay_Readpred(fun, A", ppred)) 

3 (N ± 0 ) 

icalg_accuracy.preservation.pr_TCC 1 : Formula ( N - maxfaults > 0) 

Proof 

icalg_accuracy.preservation.TCC 1 .PROOF : Prove 
icalg_accuracy.preservation.TCCl 

icalg_accuracy_preservation-pr_TCCl .PROOF: Prove 
icalg_accuracy_preservation.pr.TCCl 

End ica4_tcc 
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ica3J.cc: Module 
Using ica3 

Exporting all with ica3 
Theory 

p : Var naturalnumber 
q\ Var naturalnumber 
X: Var number 
Z: Var number 

funl: Var function[naturalnumber — ► number] 
fun2: Var function[naturalnumber — * number] 
ppred: Var function [naturalnumber — ► boolean] 
j : Var naturalnumber 

icalgJPiJTCCl: Formula (N ^ 0) 

icalg.precision_enhancement_step_TCCl : Formula 
(ppred(p) A ppred(^) 

A count(ppred, N) > N — maxfaults 
A okay_pairs(funl, fun2, X , ppred) 

A okay Jteadpred(funl, Z, ppred) 

A okay Jteadpred(fun2, Z, ppred)) 

=>(7V^0) 

prec_enh_step3_pr_TCCl: Formula (N — maxfaults > 0) 

Proof 

icalg_Pi_TCCl-PROOF: Prove icalg_Pi_TCCl 

icalg_precision_enhancement_step_TCCl_PROOF: Prove 
icalg_precision_enhancementjstep_TCCl 

prec_enhjstep3_pr.TCCl_PROOF; Prove prec_enhjstep3_pr_TCCl 

End ica3_tcc 
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tcc_proofs: Module 

Using countmod-tcc, lemmaJinaLtcc, division, clockassumptions, ica.tcc, 

ica4_tcc, ica3_tcc 

Exporting all 

with countmod-tcc, lemma_final_tcc, division, clockassumptions, ica.tcc, 
ica4_tcc, ica3_tcc 

Proof 

count mod-TCC4_pr: Prove count _TCC4 from 

countsize, countsize {» <- ( if i > 0 then i — 1 else i end if)} 

countmod-TCC5_pr: Prove count_TCC5 from 

countsize, countsize {i — ( if i > 0 then i — 1 else i end if)} 

posnumber.TCCl JPROOF: Prove posnumber-TCCl {x <— 0} 

synctime_multiplesJbnd_TCCl_PROOF : Prove synctime_multiples_bnd_TCCl from 
rmin-0 

synctime_multiples_bnd_TCC2_PROOF : Prove synctime_multiples_bnd_TCC2 from 
div_nonnegative {x t, y <— r m j n }, rmin_0, ceiLdefn {x <— t/r m i n } 

agreement _proof_TCCl -PROOF: Prove agreement .proof _TC Cl from rmin.O 

agreement_proof_TCC2 .PROOF: Prove agreement-proof _TCC 2 from 
div-nonnegative {x <— t, y <— r min }, rmin_0, ceiLdefn {x <— //r min } 

sigma_TCC2_PROOF: Prove sigma_TCC2 from 
sigmajsize, sigmajsize {i <— ( if i > 0 then i — 1 else 0 end if)} 

icalg_TCCl-PROOF : Prove icalg.TCCl from N_0 

icalg_Pi-TCCl_PROOF: Prove icalg_Pi_TCCl from N_0 

icalg_precision_enhancement_step_TCCl-PROOF: Prove 
icalg_precision_enhancementjstep_TCCl from N_0 

prec_enh_step3_pr_TCCl -PROOF: Prove prec_enh_step3_pr_TCCl from N_maxfaults 

icalg_accuracy_preservation_TCCl -PROOF: Prove 
icalg_accuracy-preservation-TCCl from N_0 

icalg_accuracy_preservation_pr-TCCl -PROOF: Prove 
icalg_accuracy_preservation_pr-TCCl from N-maxfaults 

End tcc.proofs 
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tcc_proofs_tcc: Module 
Using tcc_proofs 
Exporting all with tcc_proofs 
Theory 

t: Var lemma Jinal.posnumber 
i: Var naturalnumber 

countmod_TCC4_pr_TCCl: Formula (( if i > 0 then i — 1 else i end if) > 0) 
synctime_multiples_bnd_TCC2_PROOF_TCCl: Formula (r miri ^ 0) 
sigma_TCC2_PROOF_TCCl: Formula (( if t > 0 then i — 1 else 0 end if) > 

0 ) 

Proof 

countmod_TCC4-pr.TCCl_PROOF: Prove countmod.TCC4_pr.TCCl 

synctime_inultiples_bnd_TCC2_PROOF_TCCl_PROOF: Prove 
synctime_multiples_bnd.TCC2-PROOF.TCCl 

sigma.TCC2_PROOF.TCCl JPROOF: Prove sigma_TCC2.PR00F.TCCl 

End tcc.proofs.tcc 
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top: Module 

Using arith, lemma-final, ica4, tcc.proofs, tcc_proofs_tcc, division.tcc 

Theory 

Proof 

synctime_multiples_bnd_TCC2_PR00F_TCCl: Prove 
synctime_multiplesJbnd_TCC2_PR00F-TCCl from rmin_0 

End top 
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Appendix C 

Proof Chain Analysis 


The dependency analysis automatically establishes that there are no un- 
proved statements in the proof that are not axioms or definitions. 


C.l Proof Chain for Agreement 

Terse proof chain for proof agreement .proof in module lemma.final 


Use of the formula 

lemma.f inal . synctime.multiples.bnd 
requires the following TCCs to be proven 
lemma.f inal_tcc .posnumber.TCCl 
lerama_f inal.tcc .synctime.multiples_bnd.TCCl 
lemma_f inal.tcc . synctime.multiples_bnd.TCC2 
lemma.f inal.tcc .agreement .proof _TCCi 
lemma.f inal.tcc . agreement .proof _TCC2 

Use of the formula 

division . div.nonnegative 
requires the following TCCs to be proven 
division_tcc.mult.div_l.TCCl 
division.tcc .mult_div_TCCl 
division_tcc . div.cancel.TCCl 
division.tcc . ceil_mult_div_TCCl 
division_tcc .div_nonnegative_TCCl 
division.tcc .div.ineq.TCCi 
division.tcc .div.minus_l.TCCl 


108 



The proof chain is complete 

The axioms and assumptions at the base are: 
clockas sumptions . IClock_defn 
clockassumptions . Readerror 
clockassumptions . VClock_def n 
clockassumptions . accuracy_preservation_ax 
clockassumptions . beta_0 
clockassumptions . correct_closed 
clockassumptions . correct_count 
clockassumptions . init 
clockassumptions . mu_0 

clockassumptions . precis ion_ enhancement ax 
clockassumptions . rate_l 
clockassumptions .rat e_2 
clockassumptions . rho_0 
clockassumptions . rho_l 
clockassumptions . rmax_0 
clockassumptions . rmin^O 
clockassumptions . rtsO 
clockassumptions .rt si 
clockassumptions . rts2 
clockassumptions . rts_2 
clockassumptions . synctime_0 
clockassumptions . translation^, invariance 
division . ceil_def n 
division.mult_div_l 
division . mult_div_2 
division .mult_div_3 
multiplication .mult_10 
mult iplicat ion. mult _non_neg 
readbounds . induction 

Total: 29 

The definitions and type-constraints are: 
absmod . abs 
basics .maxsync 
basics .maxsynctime 
basics .minsync 
clockassumptions . Adj 
clockassumptions . okay_Reading 
clockassumptions . okay.Readpred 
clockassumptions . okay_Readvars 
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clockassumptions . okay_pairs 
lemma3 . okayClocks 
multiplication . mult 
readbounds . okaymaxsync 

Total: 12 

The formulae used axe: 
absmod . abs_bnd 
absmod . abs_com 
absmod. abs_dif f _3 
basics . ReadClock^bnd 
basics . ReadClock.bndl 
basics . ReadClock_bndll 
basics . ReadClock_bndl2 
basics . ReadClock_bnd2 
basics . abs_shif t 
basics . lemma_l 
basics .lemma_l_l 
basics . lemma_l_2 
basics . lemma_2_0 
basics . lemma_2_l 
basics . lemma_2_2a 
basics . lemma_2_2b 
basics .maxsync_correct 
basics .minsync_correct 
basics .minsync_maxsync 
basics . okay_Reading_shiftl 
basics . okay_Readvars_shif t 
basics . okay_Readvars_shif tl 
basics . okay _Readvars_shif til 
basics . okay_Readvaxs_shiftl2 
basics . okay_Readvars_shif t_step2 
basics . okay_Readvars_shif t_stepb 
clockassumptions . okay_Reading_defn_lr 

clockassumptions .okay_Reading_defn_rl 
clockassumptions .okay_Readpred_Reading 
clockassumptions. okay_Readvars_defn_rl 
clockassumptions . okay_pairs_Readvars 
clockassumptions .precis ion_ enhancement 
clockassumptions .rts_0 
clockassumptions.rts_l 
division. ceil_mult_div 
division . ceil_plus_mult_div 
division. div_nonnegative 
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division . mult _div 

division_tcc . ceil_mult_div_TCCl 

division_tcc. div_cancel_TCCl 

division_tcc . div_ineq_TCCl 

division_tcc .div_minus_l_TCCl 

divis ion_t c c . di v_nonnegat ive_TCC i 

division_tcc .mult_div_l_TCCl 

division_tcc .mult_div_TCCl 

lemma3 . abs_diff J1 

lemma3 . accuracy_pres_st epO 

lemma3 . accuracy_pres_stepl 

lemma3 . accuracy_pres_step2 

l«mma3 . accuracy_preservation 

lemma3 . dr if t _bnd 

lemma3 . Iemma3_l 

l«mma3 . Iemma3_l_l 

lemma3 . Iemma3_2 

lemma3 . Iemma3_2_0 

lemma3 . Iemma3_2_l 

lemma3 . Iemma3_2_step 

lemma3 . Iemma3_2_stepl 

l«mma3 . Iemma3__2_step2 

lemma3 . Iemma3_2_step3 

lemma3 . Iemma3_3 

lemraa3 . Iemma3_3_0 

lemma3 . Iemma3_3_ind 

lemma3 . maxmax_gap 

lemma3 . maxsync_max 

lemma3 . minmax_gap 

lemma3 . minsync_min 

lemma3 . okayClocks_defn_lr 

lemma3 . okayClocks_def n_rl 

lemma.f inal. synctirae_raultiples 

lemraa_f inal . synctime_multiples_bnd 

lemma_f inal . synctime_multiples_step 

lemma_final_tcc ,agreeraent_proof_TCCl 

lemma_f inal_tcc . agreement_proof _TCC2 

lemma_f inal_tcc . posnumber_TCCl 

lemraa_f inal_tcc . synctirae_multiples_bnd_TCCi 

lemma_f inal_tcc.synctime_multiples_bnd_TCC2 

multiplication . distrib 

multiplication . distrib_minus 

multiplication . mult_com 

multiplication . mult_ldistrib 
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mult iplicat ion . mult_ldistrib_minus 
multiplication.mult.leq 
multiplication . mult_lident 
mult iplicat ion . mult _rident 
multiplication . pos_product 
readbounds . Cfn_IClockl 
readbounds . Iemma2_abs_fact 
readbounds . lemma_2 
readbounds . lemma_2_base 
readbounds . lemma_2_ind 
readbounds . lemma_2_indl 
readbounds . Iemma_2_ind3 
readbounds . lemma_2_ind_step 
readbounds . okay_Reading_plus 

readbounds . okay_Reading_shif t2 
readbounds . okaymaxsync_def n_lr 
readbounds . okaymaxsync_def n_rl 

Total: 98 

The completed proofs are: 
absmod . abs^bnd^proof 
absmod . abs_com_proof 
absmod . abs_dif t _3_pr 
basics . ReadClock_bndll„proof 
basics . ReadClock_bndl2_proof 
basics . ReadClock_bndl_proof 
basics . ReadClock_bnd2_proof 
basics . ReadClo ck_bnd_proof 
basics . abs_shif t_proof 
basics . lemma_l_l_proof 
basics . lemma_l_2_proof 
basics . lemma_l_proof 
basics . lemma_2_0_proof 
basics . lemma_2_l_proof 
basics . lemma_2_2a_proof 
basics . lemma_2_2b_proof 
basics .maxsync_correct_pr 
basics .minsync_correct_pr 
basics ,minsync_maxsync_pr 
basics . okay_Reading_shif t l_proof 
basics . okay_Readvars_shiftll_proof 
basics . okay_Readvaxs_shif tl2_proof 
basics .okay _Readvars_shif tl_proof 
basics . okay_Readvars_shif t^proof 
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basics . okay_Readvars_shilt_step2_proof 

basics . okay_Readvars_shif t_stepb_proof 

clockassmnptions . okay_Reading_defn_lr_pr 

clockas sumptions . okay_Reading_defn_rl_pr 

clockassmnptions . okay_Readpred_Reading_pr 

clockassmnptions . okay_Readvars_def n_rl_pr 

clockassmnptions . okay_pairs_Readvars_pr 

clockassmnptions.precision_enhancement_pr 

clockassmnptions . rts_0_prool 

clockassmnptions . rts_l_proof 

division . c©il_mult_div_proof 

division . ceil_plus_mult_div_proof 

division . div_nonnegative_pr 

division. mult_div_pr 

division_tcc . ceil_mult_div_TCCl_PROOF 

division.tcc . div_cancel_TCCl_PROOF 

division_tcc.div_ineq_TCCl_PROOF 

division_tcc .div_minus_l_TCCl_PROOF 

division_tcc .div_nonnegative_TCCl_PROOF 

division_tcc .mult_div_l_TCCl_PROOF 

division_tcc .mult_div_TCCl_PROOF 

lemina3 . abs_dif f _2_pr 

lemma3 . accuracy_pres_stepO_pr 

lenuna3 . accuracy_pres_st©pl_pr 

lemma3 . accuracy_pres_st©p2_pr 

lemma3 . accuracy_preservation_pr 

lemma3 . dr if t_bnd_prool 

lemma3 . l©mma3_l_lproof 

lemma3 . lemma3_l_proof 

l©mma3 . I©mma3_2_0_proof 

lemma3 . l©mma3_2_l_prool 

l©mma3 . lemma3_2_proof 

lemma3 . lemma3_2_stepi_proof 

1 ©nun a 3 . Iemma3_2_step2_prool 

lemma3 . lemma3_2_step3_proof 

lemma3 . lerama3_2_step_proof 

l©mma3 . Iemma3_3_0_proof 

l©mma3 . lemma3_3_ind_prool 

lemma3 . lemma3_3_proof 

l©mma3 . raaxmax_gap_proof 

l©mma3 . maxsync_max_proof 

1 emma3 . miiunax_gap_proof 

lemma3 .minsync_min_proof 

lemina3 . okayClocks_def n_lr_pr 
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Iemma3 . okayClocks.def n.rl.pr 
lemma.f inal . agreement.proof 
lemma.f inal . synct ime.multiples.bnd.proof 
lemma.f inal . synctime.multiples .proof 
lemma.f inal . synct ime.mult iples.step.proof 
mult iplicat ion. distrib.minus.pr 
multiplication . distrib.proof 
multiplication .mult .cora.pr 
mult iplicat ion . mult.ldistrib.minus.proof 
mult iplicat ion. mult .ldistrib.proof 
mul tipli cat ion. mult .leq.pr 
mult iplicat ion . mult.lident.proof 
multiplication. mult .rident .proof 
mult iplicat ion . pos.product.pr 
readbounds . Cf n.IClockl.proof 
readbounds . Iemma2_abs_f act.proof 
readbounds . lemma_2.base. proof 
readbounds . lemma_2.indi.proof 
readbounds .lemma_2.ind3_proof 
readbounds . lemma.2.ind.proof 
readbounds . lemma.2.ind.step_proof 
readbounds . lemma_2.proof 
readbounds , okay.Reading.plus.proof 
readbounds . okay.Reading.shif t2_proof 
readbounds . okaymaxsync.defn.lr.pr 
readbounds . okaymaxsync.def n.rl.pr 
tcc.proof s . agreement . proof .TCC1.PR00F 
tcc.proof s . agreement .proof .TCC2.PR00F 
tcc.proof s . pos number. TCC1. PROOF 
tcc.proof s . synct ime.multiples.bnd.TCCl .PROOF 
tcc.proof s . synct ime_multiples.bnd.TCC2. PROOF 
Total: 99 


C.2 Proof Chain for ICA Translation Invariance 

Terse proof chain for proof ica.translation_invariance.pr in module ica 

Use of the formula 

ica. ica.translation.invariancel 
requires the following TCCs to be proven 
ica.tcc . sigma.TCCl 
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ica_tcc . sigma_TCC2 
ica_tcc . icalg_TCCl 


Formula ica__tcc . sigma_TCC2 is a termination TCC for ica. sigma 
Proof of 

ica_tcc . sigma_TCC2 
must not use 
ica. sigma 

Use of the formula 
division. div_distrib 
requires the following TOCs to be proven 
division.tcc .mult_div_l_TCCl 
division_tcc .mult_div_TCCl 
division_tcc .div_cancel_TCCl 
division_tcc . ceil_mult_div_TCCl 
division_tcc .div_nonnegative_TCCl 
division_tcc . div_ineq_TCCl 
division_tcc .div_minus_l_TCCl 

=r========== === ==z SUMMARY ================== 

The proof chain is complete 

The axioms and assumptions at the base are: 
clockassumptions . N_0 
division.mult_div_l 
division.mult_div_2 
division. mult_div_3 
ica. fun_extensionality 
multiplication. mult_10 
readbounds . induction 
Total: 7 

The definitions and type-constraints are: 
ica. fix 
ica. icalg 
ica. iconv 
ica. sigma 
ica. sigma_size 
mult iplicat ion. mult 
Total: 6 

The formulae used are: 
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division. div_cancel 
division. div_distrib 
division_tcc . ceil_mult_div_TCCl 
division.tcc . div_cancel_TCCl 
division_tcc . div„ineq_TCCl 
division_tcc . div_minus_l_TCCl 
division_tcc . div^nonnegative^TCCl 
division_tcc . mult_div_l_TCCl 
division_tcc . mult_div_TCCl 
ica.fix_trans 

ica. ica_translation_invariancel 

ica . sigma_trans_inv 

ica. s igma_.tr ans_inv_base 

ica.sigma_trans_inv_ind 

ica_tcc . icalg_TCCi 

ica_tcc . sigma_TCCl 

ica_tcc . sigma_TCC2 

multiplication . distrib 

mult ipli cat ion. mult _lident 

mult iplicat ion. mult_rident 

Total: 20 

The completed proofs are: 
division . div_cancel_pr 
division . div_distrib_pr 
division.tcc . ceil_mult_div_TCCl_PROOF 
division_tcc .div_cancel_TCCl_PRGOF 
division_tcc . div_ineq_TCCi_PRQOF 
division.tcc .div_minus_l_TCCl_PR00F 
division_tcc . div_nonnegat ive_TCCl_PR00F 
division_tcc . m.ult_div_l_TCCl_PR00F 
division_tcc .mult_div_TCCl_PR00F 
ica . t ix_trans_pr 

ica. ica_translation_ invariance l_pr 
ica . ica_translation_invariance_pr 
ica. sigma_trans_inv_base_pr 
ica.sigma_trans_inv_ind_pr 
ica . sigma_trans_inv_pr 
ica_tcc . sigma_TCCl_PR00F 
multiplication . distrib_proof 
mult iplicat ion . mult _lident_proof 
mult iplicat ion . mult_rident_proof 
tcc_proof s . icalg_TCCl_PR00F 
tcc_proof s . sigma_TCC2_PR00F 
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Total: 21 


C.3 Proof Chain for ICA Precision Enhancement 

Terse proof chain for proof icalg_precision_enhancement_pr in module ica3 

Use of the formula 
ica3 .prec_enh_step4 

requires the following TCCs to be proven 
ica3_tcc . icalg_Pi_TCCl 

ica3_tcc . icalg_precision_enhancement_step_TCCl 
ica3_tcc . prec_enh_step3_pr_TCCl 

Use of the formula 
countmod . count 

requires the following TCCs to be proven 
countmod_tcc. count_TCCl 
countmod_tcc . count_TCC2 
countmod_tcc . count_TCC3 
countmod_tcc . count_TCC4 
countmod_tcc . count_TCC5 

Formula countmod_tcc . count_TCC4 is a termination TCC for countmod . count 

Proof of 

countmod.tcc . count_TCC4 

must not use 
countmod . count 

Formula countmod_tcc . count.TCCS is a termination TCC for countmod . count 

Proof of 

countmod_tcc . count_TCC5 

must not use 
countmod. coun t 

Use of the formula 
division. div_ineq 

requires the following TCCs to be proven 
division_tcc .mult_div_l_TCCl 
division_tcc .mult_divJTCCl 
division_tcc . div_cancel_TCCl 
division^tcc . ceil_mult_div_TCCl 
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division.tcc . div_nonnegative_TCCl 
division_tcc . div_ineq_TCCl 
division_tcc.div_minus_l_TCCl 

Use of the formula 
ica. sigma 

requires the following TCCs to be proven 
ica_tcc . sigma_TCCl 
ica_tcc . sigma_TCC2 
ica_tcc . icalg_TCCl 

Formula ica_tcc . sigmaJTCC2 is a termination TCC for ica. sigma 
Proof of 

ica_tcc . sigma_TCC2 
must not use 
ica. sigma 


================== SUMMARY = = = ==== =========== 

The proof chain is complete 

The axioms and assumptions at the base are: 
clockassumptions . N_0 
clockassumptions . N_maxf aults 
division . mult_div_l 
division . mult_div_2 
division . mult_div_3 
ica3 .Delta_0 
mult iplicat ion. mult_10 
mult iplicat ion. mult_non_neg 
mult iplicat ion. mult_pos 
readbounds . induction 
Total: 10 

The definitions and type-constraints are: 
absmod . abs 

clockas sumptions . okay_Readpred 

clockassumptions . okay.pairs 

countmod . count 

count mod . counts ize 

ica. fix 

ica. icalg 

ica. iconv 

ica. sigma 
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ica. sigma.size 
ica3 . icalg.Mu 
ica3 . icalg.Pi 
multiplication .mult 

Total: 13 

The formulae used are: 
absmod . abs _ 1 .bnd 
absmod . abs_2_bnd 
absmod . abs_3_bnd 
absmod. abs_com 
absmod . abs.drif t 
absmod . abs.leq.O 
countmod_tcc . count_TCCl 
countmod.tcc . count_TCC2 
countmod.tcc . count _TCC3 
countmod_tcc . count_TCC4 
countmod.tcc . count_TCC5 
division . div_distrib 
division . div_ineq 
division . div.minus.distrib 
divis ion. mult. div 
division. mult.minus 
division.tcc . ceil.mult.div.TCCl 
division.tcc .div_cancel_TCCl 
division.tcc .div.ineq.TCCl 
division.tcc . div.minus.l.TCCl 
division.tcc . div.nonnegative.TCCl 
division.tcc .rault_div_l_TCCl 
division.tcc .mult_div_TCCl 
ica2.fix.diff 
ica2 .f ix.diff 1 
ica2.f ix.diff 2 
ica2.f ix.diff3 
ica2 , f ix.dif f.corr 
ica2. iconv.sigma.diff 
ica2 . okay.Readpred.lr 
ica2 . okay_Readpred_pairs 
ica2 . okay.pairs.f ix 
ica2 . okay.pairs.lr 
ica2 . sigma.dif f 
ica2 . sigma.dif f _ind 
ica2 . sigma.neg 
ica2. sigma.neg_.ind 
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ica2 . sigma_neg_ind_step 
ica2.sigma_pos 
ica2 . sigma_pos_ind 
ica2 . sigma_pos_neg 
ica2 . s igma.split 
ica2. sigma_split_ind 
ica3 . county complement 

ica3 . icalg_precision_enhancement_step 

ica3 .mult_sum_ineq 

ica3 .prec_enh_step 

ica3 . prec_enh_st ep2 

ica3 . prec_enh_step3 

ica3 .prec_enh_step4 

ica3_tcc . icalg_Pi JTCC1 

ica3_tcc . icalg_precision_enhancement_step_TCCl 

ica3_tcc .prec_enh_step3_pr_TCCl 

ica_tcc . icalg_TCCl 

ica_tcc . sigma_TCCl 

ica_tcc . sigma_TCC2 

multiplication. distrib 

mult iplicat ion. distrib_minus 

mult iplicat ion. mult_com 

mult iplicat ion. mult_gt 

multiplication . mult_ldistrib_minus 

multiplication.mult_leq_2 

multiplication.mult_lident 

mult ipl i cat ion . mult _r ident 

Total: 64 

The completed proofs are: 
absmod . abs_l_bnd_proof 
absmod . abs_2_bnd_proof 
absmod . abs_3_bnd_proof 
absmod . abs_com_proof 
absmod . abs_drif t_proof 
absmod . abs_leq_0_proof 
countmod_tcc . count_TCCl_PROOF 
countmod_tcc . count_TCC2_PR00F 
countmod_tcc . count _TCC3_PR00F 
division . div_distrib_pr 
division.div_ineq_pr 
division . div_minus_distr ib_pr 
division. mult_div_pr 
di vis ion. mult _minus_pr 
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division_tcc. ceil_mult_div_TCCl_PR0C3F 

division_tcc . div_cancel_TCCl_PROOF 

division_tcc . div_ineq_TCCl_PROOF 

division_tcc . div_minus_l_TCCi_PROOF 

division_tcc . div_nonnegative_TCCl_PROOF 

division_tcc .mult_div_l_TCCl_PROOF 

division_tcc .mult_div_TCCl_PROOF 

ica2. :fix_diff l_pr 

ica2 . f ix_di!12_pr 

ica2 . f 3_pr 

ica2 . 1 ix_dif f _corr_pr 

ica2 . i. ix_dil f _pr 

ica2 . iconv_sigma_dif f_pr 

ica2 . okay__R«adpred_lr_pr 

ica2 . okay_Readpred_pairs_pr 

ica2 .okay_pairs_lix_pr 

ica2 . okay_pairs_lr_pr 

ica2 . sigma.dif f _ind_pr 

ica2 . sigma.dilf _pr 

ica2 . sigma_neg_ind_pr 

ica2 . sigma_neg_ind_step_pr 

ica2 . sigma_neg_pr 

ica2 . sigma_pos_ind_pr 

ica2 . 8igma_pos_neg_pr 

ica2 . sigma_poa_pr 

ica2 . sigma_8plit_ind_pr 

ica2 . sigma_split_pr 

ica3 . count_complement_pr 

ica3 . icalg_precision_enhancement_pr 

ica3 . icalg_precision_enhancement_step_pr 

ica3 . mult_sum_ineq_pr 

ica3 .prec_enh_step2_pr 

ica3 . prec_enh_step3_pr 

ica3 . prec_enh_step4_pr 

ica3 . prec_enh_step_pr 

ica_tcc . 8igma_TCCl_PROOF 

mult iplicat ion . distrib_minus_pr 

multiplication. distrib^proot 

multiplication .mult _com_pr 

multiplication .mult_gt_pr 

mult iplicat ion . mult_ldistrib_minus_proof 

mult iplicat ion . mult_leq_2_pr 

mult iplicat ion . mult_lident_prool 

mult iplicat ion . mult_rident_proof 
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tcc_proof s . countmod_TCC4_pr 
tcc_proof s . countmod_TCC5_pr 
tcc_proof s . icalg_Pi_TCCl_PROOF 
tcc_proof s . icalg_TCCl_PROOF 

tcc_proof s . icalg_precision_enhancement_step_TCCl_PROOF 
tcc_proofs .prec_enh_step3_pr_TCCl_PR00F 
tcc_proof s . sigma_TCC2_PR00F 
Total: 6S 


C.4 Proof Chain for ICA Accuracy Preservation 

Tersa proof chain for proof icalg_accuracy_preservation_pr in module ica4 

Use of the formula 
ica4 . acc_pres_step 

requires the following TCCs to be proven 
ica4_tcc . icalg_accuracy_preservation_TCCl 
ica4_tcc . icalg_accuracy_preservation_pr_TCCl 

Use of the formula 
ica. sigma 

requires the following TCCs to be proven 
ica_tcc . sigma_TCCl 
ica_tcc . sigma_TCC2 
ica_tcc . icalg_TCCl 

Formula ica_tcc . sigma_TCC2 is a termination TCC for ica. sigma 

Proof of 

ica_tcc . sigma_TCC2 

must not use 
ica. sigma 

Use of the formula 
countmod . count 

requires the following TCCs to be proven 
countmod_tcc . count_TCCl 
countmod_tcc . count _TCC2 
countmod_tcc . count_TCC3 
countmod_tcc . count_TCC4 
countmod_tcc . count _TCC5 
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Formula countmod.tcc . count _TCC4 is a termination TCC for countmod . count 
Proof of 

countmod_tcc . count_TCC4 
must not use 
countmod . count 

Formula countmod_tcc . count _TCC5 is a termination TCC for countmod . count 
Proof of 

countmod_tcc . count_TCC5 
must not use 
countmod. count 

Use of the formula 
ica3.Delta_0 

requires the following TCCs to be proven 
ica3_tcc . icalg_Pi_TCCl 

ica3_tcc . icalg_precision_enhancement_step_TCCl 
ica3_tcc .prec_enh_step3_pr_TCCl 

Use of the formula 
division . abs_div 

requires the following TCCs to be proven 
division__tcc .mult_div_l_TCCl 
division_tcc.mult_div_TCCl 
division_tcc . div_cancel_TCCl 
division_tcc . ceil_mult_div_TCCl 
division_tcc .div_nonnegative_TCCl 
division_tcc.div_ineq_.TCCl 
division_tcc . div_minus_l_TCCl 

= = = =: = = = = = = = = =: =====: SUMMARY = = = = = = = = = = = = = = = = = = 

The proof chain is complete 

The axioms and assumptions at the base are: 
clockas sumptions . N_0 
clockas sumptions . N_maxf aults 
di vis ion. mult _div_l 
division . mult_div_2 
division . mult_div_3 
ica3.Delta_0 
mult iplicat ion . mult_10 
multiplication . mult_non_neg 
multiplication.mult_pos 
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readbounds . induction 

Total: 10 

The definitions and type-constraints are: 
absmod . abs 

clockas sumptions . okay.Readpred 

clockas sumptions . okay .pairs 

countmod . count 

count mod . count size 

ica. fix 

ica. icalg 

ica. iconv 

ica. sigma 

ica. sigma. size 

mult ipl i cat ion . mult 

Total: 11 

The formulae used are: 
absmod. abs. l.bnd 
absmod . abs_2_bnd 
absmod . abs_3_bnd 
absmod . abs.drif t 
absmod. abs. leq.O 
absmod. abs .plus 
countmod.tcc . count _TCC1 
countmod. tcc . count .TCC2 
countmod.tcc . count .TCC3 
countmod.tcc . count. TCC4 
countmod.tcc . count _TCC5 
division . abs.div 
division. div. cancel 
division . div.distrib 
division . div.ineq 
division . div.minus.l 
division . div.minus.distrib 
division . div.nonnegative 
division. mult.div 
div is ion. mult .minus 
division.tcc . ceil.mult.div.TCCl 
division. tcc .div.cancel.TCCl 
division.tcc .div.ineq.TCCl 
division.tcc . div.minus_l.TCCl 
division.tcc . div.nonnegative.TCCl 
division.tcc .mult.div. 1. TCC 1 
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division_tcc .mult.div.TCCl 
ica2 . okay.Readpred.lr 
ica2 . sigma.diff 
ica2 . sigma.diff _ind 
ica2 . sigma.pos 
ica2 . sigma.pos.ind 
ica2 . sigma.split 
ica2 . sigma.split.ind 
ica3 . count .complement 
ica3 . mult.sum.ineq 
ica3_tcc . icalg.Pi.TCCl 

ica3_tcc . icalg_precision.enhancement_step.TCCl 

ica3_tcc . prec_enh.step3_pr.TCCl 

ica4 . acc.pres_sigma.neg 

ica4. acc_pres.sigma.pos 

ica4 . acc.pres.step 

ica4 . okay.Readpred.f ix.dif f 

ica4 . okay.Readpred.f ix.diff 2 

ica4. sigma.abs 

ica4. sigma.duplicate 

ica4_tcc . icalg.accuracy.preservation.TCCl 

ica4_tcc . icalg.accuracy_preservation_pr.TCCl 

ica.tcc . icalg.TCCl 

ica.tcc . sigma.TCCl 

ica.tcc . sigma_TCC2 

multiplication. distrib 

mult iplicat ion . distrib.minus 

multiplication.mult.com 

multiplication.mult.gt 

multiplication .mult.ldistrib.rainus 

multiplication. mult_leq_2 

mult iplicat ion. mult.lident 

multiplication. mult.rident 

mult iplicat ion. pos.product 

Total: 60 

The completed proofs are: 
absmod . abs_l_bnd_proof 
absmod . abs_2_bnd_proof 
absmod . abs_3_bnd_proof 
absmod . abs.drif t.proof 
absmod . abs.leq.O. proof 
absmod . abs.plus.pr 
countmod.tcc . count.TCCl.PROOF 
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countmod_tcc . count_TCC2_PR00F 

countmod_tcc . count _TCC3_PR00F 

division . abs_div_pr 

division . div_cancel_pr 

division . div_distrib_pr 

division. div_ineq_pr 

division.div_minus_l_pr 

division. div_minus_distrib_pr 

division . div_nonnegative_pr 

division . mult_div_pr 

division. mult_minus_pr 

division_tcc . ceil_mult_div_TCCl_PROOF 

division_tcc . div_cancel_TCCl_PROOF 

division_tcc . div_ineq_TCCl_PROOF 

division_tcc . div_minus_l_TCCl_PROOF 

division_tcc . div_nonnegative_TCCl_PROOF 

division_tcc .mult_div_l_TCCl_PROOF 

division_tcc .mult_div_TCCl_PROOF 

ica2 . okay_Readpred_lr_pr 

ica2 . sigma_dif *_ind_pr 

ica2 . sigma_dilf _pr 

ica2 . sigma_pos_ind_pr 

ica2 . sigma_pos_pr 

ica2 . sigma_split_ind_pr 

ica2 . sigma_split_pr 

ica3 . count_complement_pr 

ica3 . mult_sum_ineq_pr 

ica4 . acc_pres_sigma_neg_pr 

ica4 . acc_pres_sigma_pos_pr 

ica4 . acc_pres_step_pr 

ica4. icalg_accuracy_preservation_pr 

ica4. okay_Readpred_f ix_diff2_pr 

ica4 . okay_Readpred_f ix_dif 1 _pr 

ica4 . sigma_abs_pr 

ica4 . sigma_duplicate_pr 

ica_tcc . sigma_TCCl_PROOF 

mult iplicat ion . distr ib_minus_pr 

mult iplicat ion . distr ib_pr oof 

mult iplicat ion. mult _com_pr 

mult ipl icat ion . mult _gt _pr 

mult iplicat ion. mult_ldistrib_minus_proof 

multiplication .mult_leq_2_pr 

multiplication.mult_lident_proof 

mult iplicat ion. mult_rident_prool 
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mult iplicat ion . pos_product_pr 
tcc.prool s . countmod_TCC4_pr 
tcc_proof s . countmod_TCC5_pr 
tcc.proof s . icalg_Pi_TCCl_PROOF 
tcc_prools . icalg_TCCl_PROOF 

tcc.prool s . icalg_accuracy_preservation_TCCl_PROOF 
tcc_prools . icalg_accuracy_preservation_pr_TCCl_PROOF 
tcc_proof s . icalg_precision_enhancement_step_TCCl_PROOF 
tcc_proof s .prec_enh_step3_pr_TCCl_PR00F 
tcc_proof s . s igma_TCC2_PR00F 
Total: 61 
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